From isn at c4i.org Thu Jun 1 01:47:27 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:47:27 -0500 (CDT)
Subject: [ISN] ACSAC 22 (Miami Beach, FL) - June 10 - extended deadline
Message-ID:
Forwareded from: ACSAC Distribution Manager
Dear colleague.
We are extending the submission deadlines for the technical track,
panels, tutorials, workshop till June 10, 2006.
Apologies if you receive multiple copies of this announcement.
PDF versions at
http://www.acsac.org/2006/cfp_2006.pdf
http://www.acsac.org/2006/cfp_2006-a4.pdf
---------------------------
Call For Participation
---------------------------
Submission deadline approaching!
22nd Annual Computer Security Applications Conference
December 11-15, 2006
Miami Beach, Florida
http://www.acsac.org
Submission Acceptance
Deadline Notification
Technical Track June 10, 2006 Aug. 13, 2006
Panels June 10, 2006 Aug. 13, 2006
Tutorials June 10, 2006 Jul. 20, 2006
Workshop June 10, 2006 Jul. 20, 2006
Case Studies July 1, 2006 Aug. 15, 2006
Works in Progress Sep. 8, 2006 Oct. 1, 2006
See http://www.acsac.org/cfp for detailed submission information!
Please submit blinded papers, at most 10 pages in length at 10pt.
---------------------------------------------------------------------------
ACSAC is presented by a group of professionals who are
working to facilitate information sharing among
colleagues. We're an all-volunteer not-for-profit
organization. Our postal address is 2906 Covington Road,
Silver Spring, MD 20910-1206.
You can help ACSAC reach people who might benefit from this
information. Feel free to forward this message with a
personal note to your friends and colleagues. They can sign
up at http://www.acsac.org/list.
We have moved to a new web host and are trying to remove
duplicates from our mailing lists. If you receive duplicate
messages, or simple want to be removed from our list, please
reply with the word REMOVE in the subject.
From isn at c4i.org Thu Jun 1 01:47:38 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:47:38 -0500 (CDT)
Subject: [ISN] Computer hacker to appeal sentence
Message-ID:
http://tvnz.co.nz/view/page/411749/735744
Jun 1, 2006
A computer hacker is to appeal against his prison sentence for
internet fraud, saying it is too severe.
Aucklander Mark Hayes, 19, was sentenced last Friday in the District
Court in Auckland to two years six months in prison after pleading
guilty to more than 100 computer-related offenses and around $38,000
worth of fraud.
In sentencing, the Judge called Hayes a "serious recidivist computer
criminal" for his offending in 2004 and reoffending while on bail in
2005.
Hayes' lawyer Peter Kaye says his client feels his sentence is too
high for a person of his age and circumstances. Hayes is not eligible
to apply for home detention.
The Crown Solicitor for Auckland last week described the sentence as
"substantial."
Crown Solicitor Simon Moore said such offending would normally draw a
jail term of three months at the most but the judge wanted to send a
clear message about the seriousness of hacking.
The court heard that in 2004, Hayes used a "keystroke logger" hacking
device to access the login password details of TradeMe account
holders.
He used their accounts to buy $18,500 worth of computer and clothing
goods, paying for them with other peoples' money whose bank account
details he had also hacked into.
Hayes pleaded guilty.
He then appeared before the court again for similar offending in 2005,
again using a "keystroke logger" to get bank account details. He took
around $20,000.
In sentencing, Judge David Harvey called Hayes a "serious recidivist
computer criminal", ordering a jail sentence of 30 months and the
repayment of around $18,000.
From isn at c4i.org Thu Jun 1 01:47:15 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:47:15 -0500 (CDT)
Subject: [ISN] Security a bridge too far
Message-ID:
http://www.thesun.co.uk/article/0,,2-2006250101,00.html
By ALEX PEAKE
May 31, 2006
THE Sun yesterday exposed security at Britain's biggest naval base as
a shambles after strolling unchallenged on to the bridge of a WARSHIP.
Our reporter walked through two checkpoints at Plymouth's HM Devonport
- brandishing a worker's lost photo ID - before spending an hour on
board the Navy's 21,578-ton flagship HMS Ocean.
Posing as a cleaner, he strolled around the deck of the giant vessel -
even pausing to flick through its log books and sip tea in the galley.
Furious Royal Navy chiefs launched TWO probes last night as it emerged
most of the ship's 500-strong company were on board.
The base is surrounded by a 9ft perimeter fence and guarded by
security staff and scores of military police officers with alsatians.
But yesterday, armed with just workmen's overalls and the lost pass -
handed to us by a concerned reader - our man gained entry after
flashing the ID card over 20 yards from guards.
They waved him through and even wished him "good morning". Yet had we
been terrorists, we could have caused carnage.
Within minutes our man found the quay where HMS Ocean, the Navy's
largest ship, is moored for maintenance.
As ship workers and sailors filed up the gangplank, we followed them
on to the warship, designed to hold 18 attack helicopters and an army
of highly-trained commandos.
Two machine gun-carrying marines were checking passes. But again our
man held his finger over the real workman's picture and marched in.
Once at the heart of the ship - which is on 24 hours' notice to sail
anywhere in the world if a crisis breaks - he was directed by one
unwitting worker to the bridge and nerve centre.
He toured the area with video gear for 15 minutes before moving to a
walkway, where photographer Marc Giddings snapped him from a road.
Our reporter also saw the engine room, living quarters and anchor
room. Only one sailor asked what he was doing, but he returned to
hoisting a flag when told our man was a cleaner.
We finally left the ship, praised for leading the Marines' 2003
invasion of southern Iraq, and left the base as easily as we walked
in.
A Navy spokesman said: "We take all breaches of security very
seriously. A full investigation by the ship and the naval base has
commenced."
From isn at c4i.org Thu Jun 1 01:47:51 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:47:51 -0500 (CDT)
Subject: [ISN] Employees may be opening doors to criminals
Message-ID:
http://news.ft.com/cms/s/458807fe-efec-11da-b80e-0000779e2340,dwp_uuid=863bb51c-1f76-11da-853a-00000e2511c8.html
By Kate Mackenzie
May 30 2006
Holding a security door open for someone laden with cups of coffee or
a big stack of documents may seem the polite thing to do. But you may
have fallen for a classic trick deployed by hackers.
The person might have been smartly dressed and looked legitimate, but
that is a key part of the deception of "social engineering", which
uses simple, everyday situations to deceive individuals into giving
out physicial or technical access to facilities that can be a mine of
valuable information.
Whether getting into a building, eliciting a password over the
telephone or persuading a phishing victim to e-mail their banking
details, "social engineering" is responsible for more than half of
security breaches, and some estimates claim the proportion is as high
as 90 per cent.
Deploying a powerful firewall or maintaining up-to-date software
patches on thousands of desktop machines is easy compared with raising
employees' awareness of their own risky behaviour.
Last year, for example, three call centre staff at Mphasis, an Indian
outsourcer, tricked several Citibank customers into revealing their
Pin numbers and then stole hundreds of thousands of dollars, in an
incident that rocked the outsourcing industry.
Bob Blakley, chief scientist for security and privacy at IBM's Tivoli
division, says it is partly because there is no "standard set of
social behaviours" for tasks such as resetting a password over the
phone, so many people are easily persuaded to go along with risky
procedures.
The problem is worsening, as hacking attempts and malware are
increasingly used by organised criminals, rather than fame-hungry or
curious geeks.
Despite a consensus that it is always people who are the weakest point
in any security system, workplace prevention tactics are often
neglected or relegated to a set of acceptable use policies that are
largely ignored by staff.
By contrast, meticulous and detailed documents on the dishonest use of
"social engineering" techniques are easily available on the internet.
One such document details a vast number of techniques, ranging from
"dumpster diving" to shoulder surfing - looking over someone's
shoulder as they key in a password or Pin - to "conformity": for
example, telling the target that everyone else has given out their
password over the phone.
Appealing to people's better nature by phoning up and pretending to be
an out-of-town colleague who urgently needs to access the network is
another.
In spite of all the experimentation and refinement of techniques to
persuade and confuse potential "social engineering" targets, the
security industry's response is almost exclusively focused on
technology rather than psychology.
What can be done about it? The first thing is to take a wider view of
security, says Jan Babiak, Head of Information Security at Ernst &
Young.
"For example in certain countries, you have a very good chance of
kidnapping senior executives. The physical security [team] take
enormous precautions, but the IT people might have left something like
a calender somewhere where it's easy to hack into."
Cisco, meanwhile, urges executives to create a "top-down" culture of
security awareness instead of palming off all security to a separate
team.
Dave Shackleford, the director of security solutions and assessment
services at Vigilar, a US security consultancy, says that executives
are often the softest target for "social engineering" experiments.
They tend to think they are "above the law" and have access to high
level information. They are also used to associating with other
top-level people, says Shackleford, so their trust levels are higher.
Mr Shackleford frequently puts clients' security defences to the test
by, for example, photographing staff IDs with a telephoto lens to copy
them. No attempted physical test undertaken by Vigilar has failed, he
says.
Mr Shackleford says companies need policies in place: "If they don't
have explicit policies laid out for their employees, then they may not
know any better."
Vigilar's clients act on the information gleaned from the tests in
different ways, but punishing employees who fell for a "social
engineering" trick is not usually one of them.
"It's human nature to be helpful," says Mr Shackleford. Instead, they
tend to respond by improving training and awareness procedures.
Some of Mr Shackleford's techniques are frighteningly simple: "Just
phoning someone's extension can reveal if they are out of town, for
example, and for how long."
Robert Chapman, chief executive of The Training Camp, which runs
security awareness courses for non-IT staff, says: "All the talk and
all the money really is on technology. People in a sense brag about
how much they spent on their Cisco firewalls." But they overlook the
obvious weaknesses.
His company recently ran the well-publicised "CD test" in London in
which 100 CDs were handed out to workers in the City, promising a free
Valentine's Day gift if they installed it. Once installed the CD
reported back to Chapman; he says the majority of recipients did so.
Bruce Schneier, the cryptographer who also works as a security
consultant, is not so sure.
He believes technical security must take into account behaviours, but
does not believe "social engineering" can be adequately guarded
against by training: "Have you ever met a user?" he replies when asked
about efforts to improve staff awareness.
Technology, Mr Schneier says, must be more tailored to each user's
needs and risk levels. Does a typical office worker, for example, need
to have access to a USB port or even a CD drive?
"This is not just a 'get some guys on and solve it' problem," says
Schneier. "It's like murder, burglary - all of these things, they've
been around for ever."
From isn at c4i.org Thu Jun 1 01:48:50 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 1 Jun 2006 00:48:50 -0500 (CDT)
Subject: [ISN] Police close file sharing site
Message-ID:
http://www.thelocal.se/article.php?ID=3955&date=20060531
By James Savage
31st May 2006
Police have closed down The Pirate Bay, a Sweden-based file sharing
site and one of the most popular websites of its kind in the world.
Three people were taken in for questioning after police raids in
Sweden on Wednesday. The trio, ages 22, 24 and 28, are suspected of
violating property rights legislation, police spokesman Ulf G?ranzon
said.
Servers connected to the site have been impounded and the site was
down on Wednesday afternoon, although the operators of The Pirate Bay
have set up a temporary website to provide updates on the situation.
Some fifty policemen and women were involved in raids on ten homes and
offices in Sweden.
The three men taken in by police were still being questioned on
Wednesday afternoon. They all have links to The Pirate Bay.
Prosecutors will decide whether to detain the men after they have been
questioned.
"The suspects are not people who download files, but are people who
have relations to the website," Ulf G?ranzon told The Local.
He would not reveal anything more about the roles that the men played.
Police have been monitoring the website and the men behind it for some
time. Computers were taken during raids on the men's homes and offices
to secure evidence.
"We are now going to look at how the operation is structured,"
G?ranzon said.
"At the moment we are talking to lots of people about this case. We
are still at a very early stage in our investigations," he said.
He would not reveal whether police had their eyes on further suspects.
Henrik Pont?n, lawyer at Antipiratbyr?n (The Anti-Pirate Bureau) in
Stockholm, welcomed the move to close down the site.
"It is good that the Swedish police are now prioritising this kind of
crime. The copyright laws finance creativity within film, computer
gaming, music and other culture," said Pont?n.
"People who break copyright laws steal from the creators and
movie-watching public of the future. The closure of The Pirate Bay is
therefore good for all of us who enjoy new film and entertainment."
But Tobias Andersson at pressure group Piratbyr?n (The Pirate Bureau),
which founded The Pirate Bay, stressed that there was no
copyright-protected material on the servers.
"The Anti-Pirate Bureau has clearly misled the police in this case,"
said Andersson.
"They appear to have persuaded police who are incompetent in IT that
the servers in question are full of copyright-protected material. This
is a gross misuse of taxpayers' money."
Andersson also condemned the fact that police had closed down a number
of other websites, including The Pirate Bureau, which he says is no
longer officially linked to the Pirate Bay.
"This is the greatest infringement. The Anti-Pirate Bureau has clearly
fooled the police into closing down its antagonists, The Pirate
Bureau."
"We are very upset that the film industry doesn't dare to have a
debate, and chooses instead to trick politicians and the police into
criminalizing their opponents and a large portion of the Swedish
population."
The Pirate Bay is a BitTorrent tracker, which enables people to
download large files such as movies from other users.
From isn at c4i.org Fri Jun 2 01:16:58 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:16:58 -0500 (CDT)
Subject: [ISN] Ernst & Young laptop loss exposes 243,
000 Hotels.com customers
Message-ID:
http://www.theregister.co.uk/2006/06/01/ey_hotels_laptop/
By Ashlee Vance in Mountain View
1st June 2006
Exclusive - Ernst & Young's laptop loss unit continues to be one of
the company's more productive divisions. We learn this week that the
accounting firm lost a system containing data on 243,000 Hotels.com
customers. Hotels.com joins the likes of Sun Microsystems, IBM, Cisco,
BP and Nokia, which have all had their employees' data exposed by
Ernst & Young, as revealed here in a series of exclusive stories.
The Register can again exclusively confirm the loss of the Hotels.com
customer information after having received a copy of a letter mailed
out jointly by the web site and Ernst & Young. A Hotels.com spokesman
also confirmed the data breach, saying Ernst & Young notified the
company of the laptop loss on May 3. The laptop in question was stolen
from an Ernst & Young worker's car in Texas and did have some basic
data protection mechanisms such as, erm, the need for a password.
"Recently, Hotels.com was informed by its outside auditor, Ernst &
Young, that one of Ernst & Young's employees had his laptop computer
stolen," Hotels.com told its customers in the letter. "Unfortunately,
the computer contained certain information about customer transactions
with Hotels.com, and other sites through which we provide booking
services directly to customers, from 2002 through 2004.
"This information may have included your name, address and some credit
or debit card information you provided at that time."
Ernst & Young in February lost one laptop that held information on
what's believed to be tens of thousands of Sun, IBM, Cisco, BP and
Nokia employees. It's not clear if this was the same system in the
Hotels.com incident. Ernst & Young has not returned our calls seeking
comment and has been reluctant to provide information on these
incidents in the past.
Ernst & Young in February also lost four laptops in Miami when its
workers decided to leave their systems in a hotel conference room
while they went out for lunch.
Major media outlets have so far ignored the Ernst & Young laptop
incidents, although they were quick to follow on our confirmation of a
Fidelity data breach that saw 200,000 HP workers have their
information exposed.
Ernst & Young offers a variety of security services to customers, and
encourages clients to be transparent with their policies around
customer data issues. The company, however, has not exactly been
proactive with regard to its own issues. ?
From isn at c4i.org Fri Jun 2 01:17:10 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:17:10 -0500 (CDT)
Subject: [ISN] Cern seeks to tighten security for data grid
Message-ID:
http://www.vnunet.com/computing/news/2157258/cern-seeks-tighten-security
Lara Williams
Computing
01 Jun 2006
Cern, the world's largest particle physics laboratory and birthplace
of the web, is starting a two-year project to improve security for its
worldwide data grid.
The European organisation for nuclear research identified that partner
sites on the grid are a security concern; many are open access public
institutions supporting the lab's projects.
Cern tests innovative technologies in partnership with industry, and
has asked security specialists Stonesoft and F-Secure to test security
for the launch of the large hadron collider (LHC) project next year.
The 27km underground particle accelerator will distribute large
amounts of information onto the worldwide LHC computing grid. More
than 1GB per second of data will be generated and either stored at
Cern or sent to 12 major computing sites and a further 100 institutes
around the world for analysis.
"The results of the security trials may provide solutions which could
eventually be commercially available to other organisations," said
Cern spokesman Francois Grey.
Although large data grids are only starting to be used in business,
Cern is seeing a lot of interest from industry. The lab is developing
grids that will reach across organisational boundaries, allowing
multiple institutions to share resources.
"Businesses are now becoming interested in this kind of grid," said
Grey. "Its use could enable suppliers and companies to share resources
and large corporations to share information between business units.
Grid technology will only be adopted if the right type of security
solutions are available."
Particle collisions in the LHC will create 15 petabytes per year of
data, and it is due to run for a decade. The grid will have a storage
and analysis infrastructure accessed by more than 7,000 scientists
worldwide.
The aim of the LHC is to simulate the events taking place one
millionth of a millionth of a second after the universe was created -
information that could revolutionise our understanding of how the
natural world works.
From isn at c4i.org Fri Jun 2 01:16:29 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:16:29 -0500 (CDT)
Subject: [ISN] VA Data in Format Not Widely Used
Message-ID:
http://www.washingtonpost.com/wp-dyn/content/article/2006/05/31/AR2006053102000.html
By Christopher Lee
Washington Post Staff Writer
June 1, 2006
The sensitive personal information of 26.5 million veterans that was
stolen from a Department of Veterans Affairs data analyst last month
was stored in a format that could make it difficult for thieves to
use, according to an internal VA memo.
In the May 5 memo, VA privacy officer Mark Whitney wrote that the
critical data "may not be easily accessible" because most of it --
including names, birth dates and Social Security numbers -- was stored
in a specialized, standard format used for data manipulation and
statistical analysis.
The format "requires specialized application software and training" to
write computer code "to access and manipulate the data for use,"
Whitney wrote in the memo, obtained yesterday by The Washington Post.
Ari Schwartz, deputy director of the nonprofit Center for Democracy
and Technology, a privacy group, said Whitney is generally right that
the information would be hard to extract.
It would be easier, however, if the laptop stolen along with an
external hard drive and several data disks has the software needed to
view the data, he said. "This is not nearly the type of protection
they would have had if they had followed basic security procedures and
encrypted this," Schwartz said.
The Whitney memo, dated two days after the burglary at the analyst's
Aspen Hill home and distributed to several high-ranking VA officials,
provides the first public indication that some addresses and telephone
numbers were among the stolen data; it refers to such information
being part of electronic files of a national survey of about 20,000
veterans in 2001.
Also stolen was an electronic spreadsheet with 6,744 records about
"mustard gas veterans" -- generally, veterans who took part in
chemical warfare tests during World War II. Another stolen file
contains as many as 10 diagnostic codes from the treatment file of one
veteran who visited the VA health-care system on 57 dates.
"These type of data contain more than limited financial information,
the codes contain information about veterans' medical conditions,"
Rep. Bob Filner (D-Calif.) said in a statement. "It is not appropriate
for this information to ever enter the public domain."
Matthew Burns, a VA spokesman, said the department has been "focused
on getting notification to veterans that some of the most sensitive
data was out there."
Also yesterday, VA Secretary Jim Nicholson announced that he had named
Richard M. Romley, a former prosecutor from Maricopa County, Ariz., as
his new special adviser for information security. Romley, a Marine
Corps veteran, will evaluate the department's computer security
procedures and recommend improvements.
The move follows the resignation last week of Michael H. McLendon, a
VA deputy assistant secretary who learned of the May 3 burglary within
hours of the crime but did not immediately tell top-ranked officials.
Nicholson announced Tuesday that the employee will be fired and that
Dennis M. Duffy, who has been acting assistant secretary for policy
and planning, had been placed on administrative leave. The employee
worked in McLendon's office, and Duffy was in charge of the division
in which both worked.
Nicholson learned of the information breach on May 16 and told the
public on May 22, nearly three weeks after the crime.
? 2006 The Washington Post Company
From isn at c4i.org Fri Jun 2 01:16:46 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:16:46 -0500 (CDT)
Subject: [ISN] The new breed of cyber-terrorist
Message-ID:
http://news.independent.co.uk/world/science_technology/article622421.ece
By Jimmy Lee Shreeve
31 May 2006
According to cyber-security experts, the terror attacks of 11
September and 7 July could be seen as mere staging posts compared to
the havoc and devastation that might be unleashed if terrorists turn
their focus from the physical to the digital world.
Scott Borg, the director and chief economist of the US Cyber
Consequences Unit (CCU), a Department of Homeland Security advisory
group, believes that attacks on computer networks are poised to
escalate to full-scale disasters that could bring down companies and
kill people. He warns that intelligence "chatter" increasingly points
to possible criminal or terrorist plans to destroy physical
infrastructure, such as power grids. Al-Qa'ida, he stresses, is
becoming capable of carrying out such attacks.
Most companies and organisations seem oblivious to the threat.
Usually, they worry about e-mail viruses and low-grade hacker attacks.
But Borg sees these as the least of their worries. "Up to now,
executives and network professionals have worried about what
adolescents and petty criminals have been doing," he says. "In most
cases, these kinds of cyber attacks aren't very destructive. The
reason is that businesses generally have enough inventory and extra
capacity to make up for any short-term interruptions."
What companies and organisations should worry about, Borg insists, is
"what grown-ups could do" - terrorists or hardcore criminals. One key
target would probably be the vital Supervisory Control and Data
Acquisition (Scada) systems in power plants and similar industries.
"Chatter on Scada attacks is increasing," says Borg, referring to
patterns of behaviour that suggest that criminal gangs and militant
groups are now fully capable of unleashing such attacks.
"Control systems are a particular worry, because these are the
computer systems that manage physical processes. They open and shut
the valves, adjust the temperatures, throw the switches, regulate the
pressures," he says. "Think of the control systems for chemical
plants, railway lines, or manufacturing facilities. Shutting these
systems down is a nuisance. Causing them to do the wrong thing at the
wrong time is much worse."
Until now, hackers have usually targeted credit cards or personal
information on the web. More sophisticated hackers, however, are
beginning to focus on databases. The type of data most likely to be
hit, Borg says, might include a pharmaceutical company's drug
development databases, or programs that manipulate data, such as
formulas for generating financial statements.
"Many attacks of this kind would have two components. One would alter
the process control system to produce a defective product. The other
would alter the quality control system so that the defect wouldn't
easily be detected," Borg says. "Imagine, say, a life-saving drug
being produced and distributed with the wrong level of active
ingredients. This could gradually result in large numbers of deaths or
disabilities. Yet it might take months before someone figured out what
was going on." The result, he says, would be panic, people afraid to
visit hospitals and health services facing huge lawsuits.
Deadly scenarios could occur in industry, too. Online outlaws might
change key specifications at a car factory, Borg says, causing a car
to "burst into flames after it had been driven for a certain number of
weeks". Apart from people being injured or killed, the car maker would
collapse. "People would stop buying cars." A few such attacks, run
simultaneously, would send economies crashing. Populations would be in
turmoil. At the click of a mouse, the terrorists would have won.
Is Borg justified in his fears? All this sounds like a plot from a
thriller; it's hard to take it seriously. But intelligence reports in
the last year or so make for worrying reading. An assessment by the
British security service MI5 stated that "Britain is four meals away
from anarchy". And officials admit their greatest fears about
electronic attacks focus on the more exposed networks that make up the
"critical national infrastructure" - the systems Borg is concerned
about.
US agencies are concerned that terrorists could combine electronic and
physical attacks to devastating effect, such as disrupting emergency
services at the same time as mounting a bomb attack.
Risk management analysts, equally edgy, are focusing on the financial
impact on businesses and economies. They believe that an online attack
would undermine public confidence in vital industries, especially
utilities. Nick Robson, a partner at JLT Risk Solutions, says: "A
cyber attack on, say, the power industry would cause communications
operations to close down for a period of time, expose customers to
loss of service, increase liability exposure and ultimately damage
reputation for service delivery."
It isn't just Western nations that fear a digital meltdown. This
month, the Malaysian government announced plans to establish a centre
to fight cyber-terrorism, which will provide an emergency response to
hi-tech attacks around the globe. Prime Minister Abdullah Ahmad Badawi
said the facility - to be located at the technology hub of Cyberjaya
outside Kuala Lumpur - would be called the International Multilateral
Partnership against Cyber-Terrorism, or Impact, and would be funded by
a combination of government revenue and the private sector.
Badawi said the threat of cyber-terrorism was too serious for
governments to ignore. "The potential to wreak havoc and cause
disruption to people, governments and global systems has increased as
the world becomes more globalised," he said. "The economic loss caused
by a cyber attack can be truly severe; for example, a nationwide
blackout, collapse of trading systems or the crippling of a central
bank's cheque clearing system."
While the case for cyber attack appears persuasive, some believe that
much of it is hype. "It's difficult to avoid comparisons with the
Millennium bug and the predictions of widespread computer chaos
arising from the change of date to the year 2000," says Tom Standage,
technology editor at The Economist magazine. "Then, as now, the alarm
was sounded by technology vendors and consultants, who stood to gain
from scaremongering."
Almost ?400m was spent by the Government alone on preparations for the
Millennium bug. Computer consultants issued dire warnings of the
danger of an information technology breakdown that could paralyse
nations on New Year's Day 2000. When the clock struck midnight,
however, few problems were reported. There is scepticism that the bug
was ever a threat. As far as Standage is concerned, those in the
cyber-security industry - be they vendors boosting sales, academics
chasing grants or politicians looking for bigger budgets - always have
a "built-in incentive to overstate the risks".
But what of the Scada systems; surely they are highly vulnerable? "It
is true that utility companies and other operators of critical
infrastructure are increasingly connected to the internet," Standage
concedes. "But just because customers pay their bills online, it
doesn't follow that critical control systems are vulnerable to attack.
Control systems are usually kept entirely separate from other systems,
for good reason. They tend to be obscure, old-fashioned systems that
are incompatible with internet technology anyhow. Even authorised
users require specialist knowledge."
A simulation in 2002 by the US Naval War College concluded that an
"electronic Pearl Harbor" attack on America's infrastructure would
certainly cause serious disruption. But to pull it off would require
five years of preparation and a $200m budget. As US computer security
guru Bruce Schneier says: "If they want to attack, they will do it
with bombs like they always have."
But Richard Clarke, a former cyber-security expert in the Bush
administration, says this is complacent. "People claim no one will
ever die in a cyber-attack, but they're wrong. This is a serious
threat."
Clarke says that each time the US government has tested the security
of the electric power industry, he and his colleagues have been able
to hack their way in, "sometimes through an obscure route like the
billing system". He reveals that computer security officers at a
number of chemical plants have told him privately that they are very
concerned about the openness of their networks.
Scott Borg of the Cyber Consequences Unit goes along with this. He
believes the $93m budget for 2007 allocated to the Department of
Homeland Security to defend against cyber attack is justified. "Even
systems isolated from the internet are often accessible to thousands
of employees. How secure can any system be if thousands of people and
thousands of data ports can provide inside access to that system?"
The threat from software
IT security consulting firm Cyber Defense Agency (CDA) has warned the
US military, government and "critical infrastructure agencies" against
using outsourced commercial software which could be tampered with by
terrorists. CDA said that gas, electricity, telecommunications,
banking and water companies are among the services that could fall
foul of cyber terrorists exploiting "life-cycle" weaknesses buried
deep in the software code. Life-cycle attacks occur when one line of
code is programmed to open vulnerabilities within the software,
exposing the software and the company to external threats. "Outsourced
commercial software poses a silent but significant security risk to
the defence and welfare of the US," says Sami Saydjari, president of
CDA. "The chances of strategic damage from a cyber-terrorist attack on
the US increases the longer it takes to remedy the risks posed by
outsourced software."
From isn at c4i.org Fri Jun 2 01:17:21 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:17:21 -0500 (CDT)
Subject: [ISN] Extortion virus code gets cracked
Message-ID:
http://news.bbc.co.uk/1/hi/technology/5038330.stm
1 June 2006
Do not panic if your data is hidden by virus writers demanding a
ransom.
Poor programming has allowed anti-virus companies to discover the
password to retrieve the hijacked data inside a virus that has claimed
at least one UK victim.
The Archiveus virus caught out British nurse Helen Barrow and swapped
her data with a password-protected file.
The virus is the latest example of so-called "ransomware" that tries
to extort cash from victims.
Code breaker
Analysis of Archiveus has revealed that the password to unlock the
file containing all the hijacked files is contained within the code of
the virus itself.
This virus swaps files found in the "My Documents" folder on Windows
with a single file protected by a 30-digit password. Victims are only
told the password if they buy drugs from one of three online
pharmacies.
The 30-digit password locking the files is
"mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw". Using the password should
restore all the hijacked files.
"Now the password has been uncovered, there should be no reason for
anyone hit by this ransomware attack to have to make any payments to
the criminals behind it," said Graham Cluley, senior technology
consultant for security firm Sophos.
Archiveus was discovered on 6 May but it took the rest of the month
for the first victim, Rochdale nurse Helen Barrow, to emerge.
Ms Barrow is thought to have fallen victim when she responded to an
on-screen message warning her that her computer had contracted another
unnamed virus. The virus asks those it infects to buy drugs on one of
three websites to get their files back.
"When I realised what had happened, I just felt sick to the core,"
said Ms Barrow about the incident.
The Archiveus virus is only the latest in a series of malicious
programs used by extortionists to extract cash from victims. Archiveus
seems to use some parts of another ransoming virus called Cryzip that
was circulating in March 2006.
From isn at c4i.org Fri Jun 2 01:17:32 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:17:32 -0500 (CDT)
Subject: [ISN] Miami U. reports 2nd security breach
Message-ID:
http://www.cleveland.com/news/plaindealer/index.ssf?/base/news/1149150686240780.xml&coll=2
June 01, 2006
Associated Press
An employee at a Miami University branch campus lost a hand-held
personal computer containing private information on 851 students, but
school officials said they don't believe that the data has been used
unlawfully.
The recent case involves a potential breach of privacy that the school
takes very seriously, said Kelly Cowan, interim dean at the Middletown
campus.
Students affected were enrolled between July 2001 and May 2006,
representing about 8 percent of the students on campus during that
five-year period.
It's the second security breach at Miami since last September, when
officials said a report containing some private information on
students was accidentally placed in a file accessible through the
Internet.
It included names, Social Security numbers and information on the
21,762 students enrolled on all Miami campuses in the fall of 2002.
Cowan said the school is tightening its security and increasing
employee training.
From isn at c4i.org Fri Jun 2 01:17:45 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:17:45 -0500 (CDT)
Subject: [ISN] Toronto firm at centre of security breach
Message-ID:
http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&pubid=968163964505&cid=1149113029270&col=968705899037&call_page=TS_News&call_pageid=968332188492
By TYLER HAMILTON
BUSINESS REPORTER
Jun. 1, 2006
Toronto software provider Hummingbird Ltd. has found itself at the
centre of an embarrassing privacy accident involving the social
security numbers of 1.3 million American students.
Hummingbird disclosed yesterday evening that one of its employees lost
a piece of computer equipment that contained the names and social
security numbers of customers who borrowed funds from Round Rock,
Tex.-based Texas Guaranteed, a non-profit company that administers a
U.S. family education loan program.
"The privacy of customer data is of utmost importance to us and we
take our responsibility to safeguard it very seriously. We deeply
regret that this incident has occurred," Barry Litwin, Hummingbird?s
president and chief executive, said in a statement.
"We continue to investigate the facts surrounding this loss of
information and are taking all necessary action in order to ensure
that such occurrences do not happen in the future."
Hummingbird, which announced on May 26 that it is being acquired by
Palo Alto, Calif.-based holding company Symphony Technology Group for
$465 million (U.S.), said it has no reason to believe the equipment
was stolen to obtain confidential data.
The company said the equipment was password-protected and that it was
"extremely unlikely" the data would be misused. Hummingbird was given
the data as part of a contract to develop a custom document management
system for Texas Guaranteed.
According to information on Texas Guaranteed?s Web site, the equipment
was lost on May 24 but Hummingbird didn?t notify the company until
mid-afternoon on May 26, the day Hummingbird disclosed its deal with
Symphony.
The U.S. loan provider said that customers whose information was lost
will be notified over the coming weeks and given advice on how to
guard against identity theft.
"Even though this information is not easily accessed and used, and
even though the loss appears to be inadvertent, we are issuing this
release out of an abundance of caution, because the piece of equipment
has not been located," said Sue McMillin, president and CEO of Texas
Guaranteed, in a statement.
The use of social security numbers as a form of identification in the
United States has been a topic of considerable controversy in recent
weeks. In early May, computer disks containing the social security
numbers of 26.5 million U.S. veterans were stolen from the U.S.
Department of Veteran Affairs, putting millions of Americans at risk
of identity fraud.
From isn at c4i.org Fri Jun 2 01:18:07 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 2 Jun 2006 00:18:07 -0500 (CDT)
Subject: [ISN] Secunia Weekly Summary - Issue: 2006-22
Message-ID:
========================================================================
The Secunia Weekly Advisory Summary
2006-05-25 - 2006-06-01
This week: 102 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single
vulnerability report is being validated and verified before a Secunia
advisory is written.
Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.
As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.
Secunia Online Vulnerability Database:
http://secunia.com/
========================================================================
2) This Week in Brief:
eEye Digital Security has reported a vulnerability in Symantec Client
Security and Symantec AntiVirus Corporate Edition, which can be
exploited by malicious people to compromise a user's system.
Users of Symantec products are advised to view the referenced Secunia
advisory for additional details and information about patches.
Reference:
http://secunia.com/SA20318
--
VIRUS ALERTS:
Secunia has not issued any virus alerts during the week.
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA20153] Microsoft Word Malformed Object Code Execution
Vulnerability
2. [SA19762] Internet Explorer "object" Tag Memory Corruption
Vulnerability
3. [SA20107] RealVNC Password Authentication Bypass Vulnerability
4. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of
Sensitive Information
5. [SA20261] Cisco VPN Client Privilege Escalation Vulnerability
6. [SA19521] Internet Explorer Window Loading Race Condition Address
Bar Spoofing
7. [SA18680] Microsoft Internet Explorer "createTextRange()" Code
Execution
8. [SA20288] Novell Netware abend.log User Credentials Disclosure
9. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability
10. [SA20300] Basic Analysis and Security Engine "BASE_path" File
Inclusion
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA20361] wodSFTP ActiveX Component Arbitrary File Access
Vulnerability
[SA20318] Symantec Client Security / AntiVirus Unspecified Code
Execution
[SA20407] F-Secure Products Web Console Buffer Overflow Vulnerability
[SA20357] Enigma Haber Multiple SQL Injection Vulnerabilities
[SA20355] AspSitem SQL Injection and Private Message Disclosure
[SA20348] Nukedit "groupid" Parameter Administrator Register
Vulnerability
[SA20347] Hitachi HITSENSER3 SQL Injection Vulnerability
[SA20335] My Web Server Long URL Denial of Service
[SA20317] Mini-NUKE SQL Injection Vulnerabilities
[SA20309] qjForum member.asp SQL Injection Vulnerability
[SA20294] NewsCMSLite Admin Logon Bypass Vulnerability
[SA20360] ASPBB "search" Parameter Cross-Site Scripting Vulnerability
[SA20319] Omegasoft Insel "WCE" Parameter Cross-Site Scripting
[SA20342] Jiwa Financials Information Disclosure Vulnerability
UNIX/Linux:
[SA20313] Ubuntu update for nagios
[SA20281] Mandriva update for mpg123
[SA20398] SUSE update for kernel
[SA20374] 4nForum "tid" Parameter SQL Injection Vulnerability
[SA20345] Gentoo update for libtiff
[SA20344] Gentoo update for cherrypy
[SA20339] Mandriva update for dia
[SA20338] Debian update for kernel-source-2.4.17
[SA20326] Debian update for libextractor
[SA20323] Open-Xchange Default Account Password
[SA20314] Ubuntu update for postgresql
[SA20284] Pre News Manager Multiple SQL Injection Vulnerabilities
[SA20381] UnixWare update for MySQL
[SA20283] Debian update for awstats
[SA20396] SUSE update for rug
[SA20389] FreeBSD ypserv Inoperative Access Controls Security Issue
[SA20333] Debian update for mysql-dfsg
[SA20302] OpenOBEX ircp File Overwrite Vulnerability
[SA20390] FreeBSD SMBFS chroot Directory Traversal Vulnerability
[SA20388] SUSE update for vixie-cron
[SA20380] Vixie Cron "do_command.c" setuid Security Issue
[SA20370] Shadow "useradd.c" Insecure Mailbox File Permissions
[SA20368] Debian update for motor
[SA20332] Avaya PDS Software Distributor Privilege Escalation
[SA20329] Motor ktools VGETSTRING Buffer Overflow Vulnerability
[SA20325] AIX lsmcode Unspecified Privilege Escalation Vulnerability
[SA20312] SUSE update for foomatic-filters
[SA20369] xine-lib HTTP Response Heap Corruption Weakness
[SA20330] Debian update for tiff
[SA20315] Debian update for dovecot
[SA20308] Dovecot "LIST" Command Directory Traversal Weakness
[SA20349] Linux Kernel SMP "/proc" Race Condition Denial of Service
[SA20337] PHP "curl_init()" Safe Mode Bypass Weakness
Other:
[SA20378] Secure Elements Class 5 AVR Multiple Vulnerabilities
[SA20343] D-Link Airspot DSA-3100 Gateway "uname" Cross-Site Scripting
[SA20288] Novell Netware abend.log User Credentials Disclosure
[SA20377] Secure Elements Class 5 AVR Message Encryption Security
Issue
Cross Platform:
[SA20404] METAjour "system_path" Parameter File Inclusion
Vulnerabilities
[SA20399] Ottoman "default_path" File Inclusion Vulnerabilities
[SA20373] phpMyDesktop|arcade Local File Inclusion and Script
Insertion
[SA20364] IBM DCE Two Kerberos Vulnerabilities
[SA20358] F at cile Interactive Web Multiple Vulnerabilities
[SA20356] tinyBB SQL Injection and File Inclusion Vulnerabilities
[SA20354] phpBB Activity Mod Plus Module "phpbb_root_path" File
Inclusion
[SA20353] UBB.threads Cross-Site Scripting and File Inclusion
[SA20350] phpBB Blend Portal System Module "phpbb_root_path" File
Inclusion
[SA20346] Fastpublish CMS "config[fsBase]" File Inclusion
Vulnerabilities
[SA20331] Hot Open Tickets "CLASS_PATH" Parameter File Inclusion
[SA20310] Plume CMS "/manager/frontinc/prepend.php" File Inclusion
[SA20301] open-medium.CMS "404.php" File Inclusion Vulnerability
[SA20300] Basic Analysis and Security Engine "BASE_path" File
Inclusion
[SA20299] ActionApps "GLOBALS[AA_INC_PATH]" File Inclusion
[SA20298] DoceboLMS "lang" Parameter File Inclusion Vulnerabilities
[SA20292] Back-End CMS "_PSL[classdir]" File Inclusion Vulnerability
[SA20375] pppBLOG "files[0]" Parameter Disclosure of Sensitive
Information
[SA20367] WebCalendar "includedir" Parameter Arbitrary Setting File
Loading
[SA20366] WikiNi Script Insertion Vulnerabilities
[SA20359] phpBB Nivisec Hacks List Module Local File Inclusion
[SA20352] Eggblog posts.php SQL Injection Vulnerability
[SA20351] aMule Information Disclosure Vulnerability
[SA20316] Geeklog Multiple Vulnerabilities and Weaknesses
[SA20307] Seditio "Referer" HTTP Header Script Insertion Vulnerability
[SA20304] ByteHoard File Copy and Script Insertion Vulnerabilities
[SA20303] MailManager PostgreSQL Encoding-Based SQL Injection
[SA20297] V-webmail "CONFIG[pear_dir]" File Inclusion Vulnerability
[SA20295] Pre Shopping Mall SQL Injection Vulnerabilities
[SA20290] ChatPat Script Insertion and SQL Injection Vulnerabilities
[SA20287] iFdate Cross-Site Scripting and Script Insertion
Vulnerabilities
[SA20286] Realty Pro One Cross-Site Scripting and SQL Injection
[SA20363] XiTi Tracking Script "xiti.js" Cross-Site Scripting
Vulnerabilities
[SA20341] Open Searchable Image Catalogue SQL Injection
Vulnerabilities
[SA20340] DGNews "upprocess.php" File Upload Vulnerability
[SA20336] Photoalbum B&W "index.php" Cross-Site Scripting
Vulnerabilities
[SA20334] TikiWiki Multiple Cross-Site Scripting Vulnerabilities
[SA20327] Achievo "atkselector" Parameter SQL Injection Vulnerability
[SA20324] Vacation Rental Script "obj" Parameter Cross-Site Scripting
[SA20322] Pretty Guestbook "pagina" Cross-Site Scripting Vulnerability
[SA20321] Smile Guestbook "pagina" Cross-Site Scripting Vulnerability
[SA20320] Morris Guestbook "pagina" Cross-Site Scripting Vulnerability
[SA20311] php-residence Multiple Script Insertion Vulnerabilities
[SA20306] PHPSimpleChoose Cross-Site Scripting Vulnerability
[SA20305] PHP-AGTC membership system "useremail" Script Insertion
[SA20296] CMS Mundo "searchstring" Cross-Site Scripting Vulnerability
[SA20293] phpESP ADOdb Cross-Site Scripting Vulnerabilities
[SA20291] AZ Photo Album Script Pro Cross-Site Scripting Vulnerability
[SA20289] Elite-Board "search" Parameter Cross-Site Scripting
Vulnerability
[SA20285] Assetman Unspecified Script Insertion Vulnerabilities
[SA20282] iFlance Multiple Cross-Site Scripting Vulnerabilities
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA20361] wodSFTP ActiveX Component Arbitrary File Access
Vulnerability
Critical: Highly critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information, System access
Released: 2006-05-31
Will Dormann has reported a vulnerability in WeOnlyDo wodSFTP, which
can be exploited by malicious people to disclose sensitive information
and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20361/
--
[SA20318] Symantec Client Security / AntiVirus Unspecified Code
Execution
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-29
eEye Digital Security has reported a vulnerability in Symantec Client
Security and Symantec AntiVirus Corporate Edition, which can be
exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20318/
--
[SA20407] F-Secure Products Web Console Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-01
A vulnerability has been reported in F-Secure Anti-Virus for Microsoft
Exchange and F-Secure Internet Gatekeeper, which potentially can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20407/
--
[SA20357] Enigma Haber Multiple SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-29
Mustafa Can Bjorn has reported some vulnerabilities in Enigma Haber,
which can be exploited by malicious people to conduct SQL injection
attacks.
Full Advisory:
http://secunia.com/advisories/20357/
--
[SA20355] AspSitem SQL Injection and Private Message Disclosure
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information
Released: 2006-05-29
Mustafa Can Bjorn has reported two vulnerabilities in AspSitem, which
can be exploited by malicious users to disclose sensitive information
or malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20355/
--
[SA20348] Nukedit "groupid" Parameter Administrator Register
Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2006-05-30
FarhadKey has discovered a vulnerability in Nukedit, which can be
exploited by malicious people to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20348/
--
[SA20347] Hitachi HITSENSER3 SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-31
A vulnerability has been reported in Hitachi HITSENSER3, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20347/
--
[SA20335] My Web Server Long URL Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-05-29
s3rv3r_hack3r has discovered a vulnerability in My Web Server, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20335/
--
[SA20317] Mini-NUKE SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-29
Mustafa Can Bjorn has reported some vulnerabilities in Mini-NUKE, which
can be exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20317/
--
[SA20309] qjForum member.asp SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-29
ajann has reported a vulnerability in qjForum, which can be exploited
by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20309/
--
[SA20294] NewsCMSLite Admin Logon Bypass Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2006-05-26
FarhadKey has discovered a vulnerability in NewsCMSLite, which can be
exploited by malicious people to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20294/
--
[SA20360] ASPBB "search" Parameter Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-29
Mustafa Can Bjorn has reported a vulnerability in ASPBB, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20360/
--
[SA20319] Omegasoft Insel "WCE" Parameter Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-31
MC.Iglo has reported a vulnerability in Omegasoft Insel, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20319/
--
[SA20342] Jiwa Financials Information Disclosure Vulnerability
Critical: Less critical
Where: From local network
Impact: Exposure of sensitive information
Released: 2006-05-30
Robert Passlow has reported a vulnerability in Jiwa Financials, which
can be exploited by malicious users to disclose potentially sensitive
information.
Full Advisory:
http://secunia.com/advisories/20342/
UNIX/Linux:--
[SA20313] Ubuntu update for nagios
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-30
Ubuntu has issued an update for nagios. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20313/
--
[SA20281] Mandriva update for mpg123
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-29
Mandriva has issued an update for mpg123. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
user's system.
Full Advisory:
http://secunia.com/advisories/20281/
--
[SA20398] SUSE update for kernel
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Exposure of system information, Exposure
of sensitive information, DoS
Released: 2006-06-01
SUSE has issued an update for the kernel. This fixes some
vulnerabilities and weaknesses, which can be exploited by malicious,
local users to bypass certain security restrictions, gain knowledge of
potentially sensitive information and to cause a DoS (Denial of
Service), and by malicious people to disclose certain system
information, potentially to bypass certain security restrictions and to
cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20398/
--
[SA20374] 4nForum "tid" Parameter SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-31
CrAzY CrAcKeR has reported a vulnerability in 4nForum, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20374/
--
[SA20345] Gentoo update for libtiff
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-31
Gentoo has issued an update for libtiff. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20345/
--
[SA20344] Gentoo update for cherrypy
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-05-31
Gentoo has issued an update for cherrypy. This fixes a vulnerability,
which can be exploited by malicious people to disclose potentially
sensitive information.
Full Advisory:
http://secunia.com/advisories/20344/
--
[SA20339] Mandriva update for dia
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-05-31
Mandriva has issued an update for dia. This fixes some vulnerabilities,
which potentially can be exploited by malicious people to compromise a
user's system.
Full Advisory:
http://secunia.com/advisories/20339/
--
[SA20338] Debian update for kernel-source-2.4.17
Critical: Moderately critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information, Privilege escalation, DoS, System access
Released: 2006-05-31
Debian has issued an update for kernel-source-2.4.17. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
gain knowledge of sensitive information, cause a DoS (Denial of
Service), gain escalated privileges, and by malicious people to cause a
DoS, and disclose potentially sensitive information.
Full Advisory:
http://secunia.com/advisories/20338/
--
[SA20326] Debian update for libextractor
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-05-29
Debian has issued an update for libextractor. This fixes two
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise an application that
uses the library.
Full Advisory:
http://secunia.com/advisories/20326/
--
[SA20323] Open-Xchange Default Account Password
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2006-05-29
Cemil Degirmenci has reported a security issue in Open-Xchange, which
potentially can be exploited by malicious people to bypass certain
security restrictions.
Full Advisory:
http://secunia.com/advisories/20323/
--
[SA20314] Ubuntu update for postgresql
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-30
Ubuntu has issued an update for postgresql. This fixes two
vulnerabilities, which potentially can be exploited by malicious people
to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20314/
--
[SA20284] Pre News Manager Multiple SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-05-26
luny has reported some vulnerabilities in Pre News Manager, which can
be exploited by malicious people to conduct cross-site scripting
attacks and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20284/
--
[SA20381] UnixWare update for MySQL
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2006-06-01
SCO has issued an update for MySQL. This fixes a vulnerability, which
can be exploited by malicious users to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20381/
--
[SA20283] Debian update for awstats
Critical: Less critical
Where: From remote
Impact: Security Bypass, System access
Released: 2006-05-26
Debian has issued an update for awstats. This fixes a security issue,
which can be exploited by malicious people to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/20283/
--
[SA20396] SUSE update for rug
Critical: Less critical
Where: From local network
Impact: Security Bypass, Exposure of sensitive information
Released: 2006-06-01
SUSE has issued an update for rug. This fixes a security issue and a
weakness, which can be exploited by malicious, local users to disclose
certain sensitive information and potentially by malicious people to
bypass security restrictions.
Full Advisory:
http://secunia.com/advisories/20396/
--
[SA20389] FreeBSD ypserv Inoperative Access Controls Security Issue
Critical: Less critical
Where: From local network
Impact: Security Bypass
Released: 2006-06-01
A security issue has been reported in FreeBSD, which can be exploited
by malicious people to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20389/
--
[SA20333] Debian update for mysql-dfsg
Critical: Less critical
Where: From local network
Impact: Security Bypass, Exposure of sensitive information, System
access
Released: 2006-05-29
Debian has issued an update for mysql-dfsg. This fixes some
vulnerabilities, which can be exploited by malicious users to bypass
certain security restrictions, disclose potentially sensitive
information, and compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20333/
--
[SA20302] OpenOBEX ircp File Overwrite Vulnerability
Critical: Less critical
Where: From local network
Impact: Manipulation of data
Released: 2006-05-26
Jeroen van Wolffelaar has reported a vulnerability in Open OBEX, which
can be exploited by malicious people to manipulate certain data on a
user's system.
Full Advisory:
http://secunia.com/advisories/20302/
--
[SA20390] FreeBSD SMBFS chroot Directory Traversal Vulnerability
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2006-06-01
A vulnerability has been reported in FreeBSD, which can be exploited by
malicious, local users to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20390/
--
[SA20388] SUSE update for vixie-cron
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-06-01
SUSE has issued an update for vixie-cron. This fixes a security issue,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.
Full Advisory:
http://secunia.com/advisories/20388/
--
[SA20380] Vixie Cron "do_command.c" setuid Security Issue
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-06-01
Roman Veretelnikov has reported a security issue in Vixie Cron, which
potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.
Full Advisory:
http://secunia.com/advisories/20380/
--
[SA20370] Shadow "useradd.c" Insecure Mailbox File Permissions
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-05-31
A security issue has been reported in Shadow, which potentially can be
exploited by malicious, local users to perform certain actions with
escalated privileges.
Full Advisory:
http://secunia.com/advisories/20370/
--
[SA20368] Debian update for motor
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-05-31
Debian has issued an update for motor. This fixes a vulnerability,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.
Full Advisory:
http://secunia.com/advisories/20368/
--
[SA20332] Avaya PDS Software Distributor Privilege Escalation
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-05-29
Avaya has acknowledged a vulnerability in Avaya Predictive Dialing
System (PDS), which can be exploited by malicious, local users to gain
escalated privileges.
Full Advisory:
http://secunia.com/advisories/20332/
--
[SA20329] Motor ktools VGETSTRING Buffer Overflow Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-05-31
A vulnerability has been reported in Motor, which potentially can be
exploited by malicious, local users to perform certain actions with
escalated privileges.
Full Advisory:
http://secunia.com/advisories/20329/
--
[SA20325] AIX lsmcode Unspecified Privilege Escalation Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-05-29
A vulnerability has been reported in AIX, which can be exploited by
malicious, local users to gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/20325/
--
[SA20312] SUSE update for foomatic-filters
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-05-30
SUSE has issued an update for foomatic-filters. This fixes a
vulnerability, which can be exploited by malicious, local users to gain
escalated privileges.
Full Advisory:
http://secunia.com/advisories/20312/
--
[SA20369] xine-lib HTTP Response Heap Corruption Weakness
Critical: Not critical
Where: From remote
Impact: DoS
Released: 2006-05-31
Federico L. Bossi Bonin has discovered a weakness in xine-lib, which
can be exploited by malicious people to crash certain applications on a
user's system.
Full Advisory:
http://secunia.com/advisories/20369/
--
[SA20330] Debian update for tiff
Critical: Not critical
Where: From remote
Impact: DoS
Released: 2006-05-29
Debian has issued an update for tiff. This fixes a vulnerability, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20330/
--
[SA20315] Debian update for dovecot
Critical: Not critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-05-29
Debian has issued an update for dovecot. This fixes a weakness, which
can be exploited by malicious users to gain knowledge of potentially
sensitive information.
Full Advisory:
http://secunia.com/advisories/20315/
--
[SA20308] Dovecot "LIST" Command Directory Traversal Weakness
Critical: Not critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-05-29
A weakness has been reported in Dovecot, which can be exploited by
malicious users to gain knowledge of potentially sensitive
information.
Full Advisory:
http://secunia.com/advisories/20308/
--
[SA20349] Linux Kernel SMP "/proc" Race Condition Denial of Service
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2006-05-31
Tony Griffiths has reported a vulnerability in the Linux Kernel, which
can be exploited malicious, local users to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20349/
--
[SA20337] PHP "curl_init()" Safe Mode Bypass Weakness
Critical: Not critical
Where: Local system
Impact: Security Bypass
Released: 2006-05-30
Maksymilian Arciemowicz has discovered a weakness in PHP, which can be
exploited by malicious, local users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/20337/
Other:--
[SA20378] Secure Elements Class 5 AVR Multiple Vulnerabilities
Critical: Moderately critical
Where: From local network
Impact: Security Bypass, Spoofing, Exposure of system information,
Exposure of sensitive information, DoS, System access
Released: 2006-05-31
Multiple vulnerabilities and security issues have been reported in
Secure Elements Class 5 AVR, which can be exploited by malicious people
to disclose potentially sensitive information, bypass certain security
restrictions, spoof the contents of messages, cause a DoS (Denial of
Service) and potentially to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20378/
--
[SA20343] D-Link Airspot DSA-3100 Gateway "uname" Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-29
jaime.blasco has reported a vulnerability in D-Link Airspot DSA-3100
Gateway, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20343/
--
[SA20288] Novell Netware abend.log User Credentials Disclosure
Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2006-05-26
A security issue has been reported in Novell Netware, which can be
exploited by malicious, local users to gain knowledge of sensitive
information.
Full Advisory:
http://secunia.com/advisories/20288/
--
[SA20377] Secure Elements Class 5 AVR Message Encryption Security
Issue
Critical: Not critical
Where: From local network
Impact: Exposure of sensitive information
Released: 2006-05-31
A security issue has been reported in Secure Elements Class 5 AVR,
which potentially can be exploited by malicious people to disclose
certain sensitive information.
Full Advisory:
http://secunia.com/advisories/20377/
Cross Platform:--
[SA20404] METAjour "system_path" Parameter File Inclusion
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-01
Kacper has discovered some vulnerabilities in METAjour, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20404/
--
[SA20399] Ottoman "default_path" File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-01
Kacper has discovered some vulnerabilities in Ottoman, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20399/
--
[SA20373] phpMyDesktop|arcade Local File Inclusion and Script
Insertion
Critical: Highly critical
Where: From remote
Impact: Exposure of sensitive information, System access, Cross
Site Scripting
Released: 2006-05-31
darkgod has discovered two vulnerabilities in phpMyDesktop|arcade,
which can be exploited by malicious people to conduct script insertion
attacks, disclose sensitive information, and compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/20373/
--
[SA20364] IBM DCE Two Kerberos Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-01
IBM has acknowledged two vulnerabilities in IBM DCE, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20364/
--
[SA20358] F at cile Interactive Web Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, System access
Released: 2006-05-29
Mustafa Can Bjorn has reported some vulnerabilities in F at cile
Interactive Web, which can be exploited by malicious people to conduct
cross-site scripting attacks, disclose sensitive information, and
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20358/
--
[SA20356] tinyBB SQL Injection and File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Manipulation of data, System access
Released: 2006-05-29
Mustafa Can Bjorn has discovered some vulnerabilities in tinyBB, which
can be exploited by malicious people to conduct SQL injection attacks
and to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20356/
--
[SA20354] phpBB Activity Mod Plus Module "phpbb_root_path" File
Inclusion
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-30
Mustafa Can Bjorn has reported a vulnerability in the Activity Mod Plus
module for phpBB, which can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20354/
--
[SA20353] UBB.threads Cross-Site Scripting and File Inclusion
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, System access
Released: 2006-05-30
Mustafa Can Bjorn has discovered some vulnerabilities in UBB.threads,
which can be exploited by malicious people to conduct cross-site
scripting attacks and compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20353/
--
[SA20350] phpBB Blend Portal System Module "phpbb_root_path" File
Inclusion
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-30
Mustafa Can Bjorn has reported a vulnerability in the Blend Portal
System module for phpBB, which can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20350/
--
[SA20346] Fastpublish CMS "config[fsBase]" File Inclusion
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-30
Kacper has reported some vulnerabilities in Fastpublish CMS, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20346/
--
[SA20331] Hot Open Tickets "CLASS_PATH" Parameter File Inclusion
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-29
Kacper has discovered a vulnerability in Hot Open Tickets, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20331/
--
[SA20310] Plume CMS "/manager/frontinc/prepend.php" File Inclusion
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-29
beford has discovered a vulnerability in Plume CMS, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20310/
--
[SA20301] open-medium.CMS "404.php" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-26
Kacper has discovered a vulnerability in the open-medium.CMS, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20301/
--
[SA20300] Basic Analysis and Security Engine "BASE_path" File
Inclusion
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-26
str0ke has discovered some vulnerabilities in Basic Analysis and
Security Engine, which can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20300/
--
[SA20299] ActionApps "GLOBALS[AA_INC_PATH]" File Inclusion
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-26
Kacper has discovered some vulnerabilities in ActionApps, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20299/
--
[SA20298] DoceboLMS "lang" Parameter File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-26
beford has discovered some vulnerabilities in DoceboLMS, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20298/
--
[SA20292] Back-End CMS "_PSL[classdir]" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-05-26
Kacper has discovered a vulnerability in Back-End CMS, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20292/
--
[SA20375] pppBLOG "files[0]" Parameter Disclosure of Sensitive
Information
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-06-01
rgod has discovered a vulnerability in pppBLOG, which can be exploited
by malicious people to disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/20375/
--
[SA20367] WebCalendar "includedir" Parameter Arbitrary Setting File
Loading
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Exposure of sensitive information
Released: 2006-05-31
socsam has discovered a vulnerability in WebCalendar, which can be
exploited by malicious people to bypass certain security restrictions
and disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/20367/
--
[SA20366] WikiNi Script Insertion Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-30
Raphael Huck has discovered some vulnerabilities in WikiNi, which can
be exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20366/
--
[SA20359] phpBB Nivisec Hacks List Module Local File Inclusion
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-05-29
Mustafa Can Bjorn has discovered a vulnerability in the Nivisec Hacks
List module for phpBB, which can be exploited by malicious people to
disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/20359/
--
[SA20352] Eggblog posts.php SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-29
Mustafa Can Bjorn has discovered a vulnerability in Eggblog, which can
be exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20352/
--
[SA20351] aMule Information Disclosure Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information
Released: 2006-05-29
A vulnerability has been reported in aMule, which can be exploited by
malicious people and by malicious users to disclose potentially
sensitive information.
Full Advisory:
http://secunia.com/advisories/20351/
--
[SA20316] Geeklog Multiple Vulnerabilities and Weaknesses
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, Exposure of
system information
Released: 2006-05-30
trueend5 has reported some vulnerabilities and weaknesses in Geeklog,
which can be exploited by malicious people to disclose system
information, and conduct cross-site scripting and SQL injection
attacks.
Full Advisory:
http://secunia.com/advisories/20316/
--
[SA20307] Seditio "Referer" HTTP Header Script Insertion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-29
Yunus Emre Yilmaz has discovered a vulnerability in Seditio, which can
be exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20307/
--
[SA20304] ByteHoard File Copy and Script Insertion Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-05-29
Nomenumbra has discovered two vulnerabilities in ByteHoard, which can
be exploited by malicious people to manipulate sensitive information
and conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20304/
--
[SA20303] MailManager PostgreSQL Encoding-Based SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-26
A vulnerability has been reported in MailManager, which potentially can
be exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20303/
--
[SA20297] V-webmail "CONFIG[pear_dir]" File Inclusion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-05-26
beford has discovered a vulnerability in V-webmail, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20297/
--
[SA20295] Pre Shopping Mall SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-26
luny has reported some vulnerabilities in Pre Shopping Mall, which can
be exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20295/
--
[SA20290] ChatPat Script Insertion and SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-05-26
luny has reported two vulnerabilities in ChatPat, which can be
exploited by malicious people to conduct script insertion and SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/20290/
--
[SA20287] iFdate Cross-Site Scripting and Script Insertion
Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-26
luny has reported some vulnerabilities in iFdate, which can be
exploited by malicious people to conduct cross-site scripting and
script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20287/
--
[SA20286] Realty Pro One Cross-Site Scripting and SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-05-26
luny has reported some vulnerabilities in Realty Pro One, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/20286/
--
[SA20363] XiTi Tracking Script "xiti.js" Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-31
Yannick Daffaud has reported two vulnerabilities in the XiTi Tracking
Script, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20363/
--
[SA20341] Open Searchable Image Catalogue SQL Injection
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-05-31
Nenad Jovanovic has discovered some vulnerabilities in Open Searchable
Image Catalogue, which can be exploited by malicious users to conduct
SQL injection attacks and by malicious people to conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/20341/
--
[SA20340] DGNews "upprocess.php" File Upload Vulnerability
Critical: Less critical
Where: From remote
Impact: System access
Released: 2006-05-30
r0t has discovered a vulnerability in DGNews, which can be exploited by
malicious users to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20340/
--
[SA20336] Photoalbum B&W "index.php" Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-30
black-code and sweet-devil have discovered some vulnerabilities in
Photoalbum B&W, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20336/
--
[SA20334] TikiWiki Multiple Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-29
Blwood has discovered some vulnerabilities in TikiWiki, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20334/
--
[SA20327] Achievo "atkselector" Parameter SQL Injection Vulnerability
Critical: Less critical
Where: From remote
Impact: Manipulation of data
Released: 2006-05-30
Christian Nancy has reported a vulnerability in Achievo, which can be
exploited by malicious users to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20327/
--
[SA20324] Vacation Rental Script "obj" Parameter Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-29
luny has discovered a vulnerability in Vacation Rental Script, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20324/
--
[SA20322] Pretty Guestbook "pagina" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-29
luny has discovered a vulnerability in Pretty Guestbook, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20322/
--
[SA20321] Smile Guestbook "pagina" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-29
luny has discovered a vulnerability in Smile Guestbook, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20321/
--
[SA20320] Morris Guestbook "pagina" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-29
luny has discovered a vulnerability in Morris Guestbook, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20320/
--
[SA20311] php-residence Multiple Script Insertion Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-29
Nomenumbra has reported some vulnerabilities in php-residence, which
can be exploited by malicious users to conduct script insertion
attacks.
Full Advisory:
http://secunia.com/advisories/20311/
--
[SA20306] PHPSimpleChoose Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-29
luny has discovered a vulnerability in PHPSimpleChoose, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20306/
--
[SA20305] PHP-AGTC membership system "useremail" Script Insertion
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-29
Nomenumbra has discovered a vulnerability in PHP-AGTC membership
system, which can be exploited by malicious users to conduct script
insertion attacks.
Full Advisory:
http://secunia.com/advisories/20305/
--
[SA20296] CMS Mundo "searchstring" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-26
luny has reported a vulnerability in CMS Mundo, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20296/
--
[SA20293] phpESP ADOdb Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-29
Some vulnerabilities have been reported in phpESP, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20293/
--
[SA20291] AZ Photo Album Script Pro Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-26
luny has reported a vulnerability in AZ Photo Album Script Pro, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20291/
--
[SA20289] Elite-Board "search" Parameter Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-26
luny has reported a vulnerability in Elite-Board, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20289/
--
[SA20285] Assetman Unspecified Script Insertion Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-29
Nomenumbra has reported some vulnerabilities in Assetman, which can be
exploited by malicious users to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20285/
--
[SA20282] iFlance Multiple Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-05-26
luny has reported some vulnerabilities in iFlance, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20282/
========================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Subscribe:
http://secunia.com/secunia_weekly_summary/
Contact details:
Web : http://secunia.com/
E-mail : support at secunia.com
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45
From isn at c4i.org Mon Jun 5 04:26:44 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:26:44 -0500 (CDT)
Subject: [ISN] HP printer drivers hit with Funlove virus
Message-ID:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000907
By Robert McMillan
IDG News Service
June 02, 2006
Hewlett-Packard Co. on Thursday pulled a printer driver from its Web
site after security vendor BitDefender reported that the software was
infected with the same computer virus that infected HP's drivers more
than five years ago.
A BitDefender partner notified the security vendor of the infected
driver software on Wednesday, and the company's security researchers
soon determined that it had the same Funlove virus that had plagued HP
in December 2000.
BitDefender notified HP of the problem on Wednesday, and the infected
printer driver was removed from HP's Web site early Thursday, said
BitDefender spokesman Vitor Souza.
Until then, the virus was being distributed with the Korean version of
the Windows 95/98 driver for HP's Officejet g85 All-in-One printer. HP
no longer sells the all-in-one printer, and the current antivirus
products are able to block it. So while the oversight is an
embarrassment for HP, it's unlikely that many users were affected by
Funlove.
Previously, HP had inadvertently distributed the Funlove virus in
Japanese printer drivers that were made available on the company's Web
site. Souza believes that HP most likely neglected to remove this
particular infected driver back in 2000. "Its just like nobody had run
a test against antivirus [software]," he said.
Even for users who fall prey to the virus, the consequences are not
severe.
When it gets installed, the Funlove pops up a text message that reads
"Fun Loving Criminal," and then attempts to reboot the PC. On Windows
NT machines, it attempts to change system settings so that files that
can normally be seen only by administrators are visible to all.
HP executives were not immediately available to comment for this
story.
BitDefender is owned by Softwin SRL, based in Bucharest, Romania.
From isn at c4i.org Mon Jun 5 04:26:21 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:26:21 -0500 (CDT)
Subject: [ISN] PaineWebber Systems Admin Faces Trial For Computer Sabotage
Message-ID:
http://www.informationweek.com/security/showArticle.jhtml?articleID=188700855
By Sharon Gaudin
InformationWeek
Jun 1, 2006
A former systems administrator for financial giant UBS PaineWebber
goes on trial Tuesday for allegedly sabotaging two-thirds of the
company's computer network in what prosecutors say was a vengeful
attempt to profit from a crashing stock price.
Roger Duronio, 63, of Bogota, N.J., is facing federal charges in front
of a U.S. District Court in Newark, in connection to the creation and
planting of malicious code on more than 1,000 computers in the
company's central office, as well as in approximately 370 branch
offices. When the malicious code, or "logic bomb," was triggered on
March 4, 2002, it began deleting files and data, taking down many
PaineWebber computers across the United States and hindering trading
for days in some branch offices and for several weeks in others,
according to Assistant U.S. Attorney Mauro Wolfe, lead prosecutor on
the case.
The attack, according to the indictment, cost UBS PaineWebber, which
was renamed UBS Wealth Management USA in 2003, $3 million just to
assess and repair the damage. The company didn't submit a list of
losses to the government based on business downtime or lost trading
opportunities.
Chris Adams, Duronio's defense attorney and a partner at Walder Hayden
& Brogan in Roseland, N.J., says the government has the wrong man.
Duronio has pleaded not guilty to all charges. He has been free on
bail awaiting trial for the past four years. Adams says he's not
working in an IT position at this time.
According to Wolfe, Duronio is facing four counts--one count of
computer intrusion, one count of mail fraud, and two counts of
securities fraud. The government contends that Duronio tried to profit
from the attack by manipulating the stock price of the global
investment banking and securities firm with the attack on its network.
The government contends that in the months leading up to the planting
of the logic bomb and the subsequent attack, Duronio, using the U.S.
postal system, bought more than $21,000 worth of 'put option'
contracts for PaineWebber's parent company, UBS, A.G.'s stock. A put
option is a type of stock that actually increases in value when the
stock price drops. According to Wolfe, Duronio was betting the attack
would cripple the company's network, and its stock would fall in the
aftermath, allowing him to cash in.
Because of this part of his alleged plan, Duronio is being charged
with mail and securities fraud.
''Computers across the country pretty much all went down at once,''
says Wolfe. ''System administrators started to receive phone calls
that morning that certain computers weren't working. Within minutes,
it escalated from one phone call to 10, 60, 70... over 100 phone
calls. At or about 10 o'clock they realized it wasn't an isolated
issue but all the computers across the network. It was just too much
of a coincidence for that to happen... This [network] was designed so
everything would not crash at once. The same network designed to not
suffer that problem was suffering that exact problem.''
And Wolfe says the man who was responsible for keeping that exact
system up and running for three years was the one who ultimately took
it down.
''The defendant was motivated by the fact that he was a disgruntled
employee who was not happy with his salary,'' says Wolfe. ''He wanted
an annual salary of $175,000 guaranteed. And I think for the year 2001
he was paid about $13,000 less than that.''
Insider Attacks
Attacks by corporate insiders, even by IT professionals, is not an
uncommon problem, according to last year's CSI/FBI Computer Crime
Survey. With only slight variation from year to year, inside jobs
occur as frequently as the highly publicized outside hacker attacks.
Insider abuse, according to the survey, cost U.S. companies $6,856,450
last year.
''Insider attacks are definitely more dangerous,'' says Eric Maiwald,
a senior analyst for Burton Group, a research and consulting firm
based in Midvale, Utah. ''The average outside person generally doesn't
have access to your systems. Their first job in attacking you is to
get access, whereas the insider starts out with access. They're
starting one step ahead of the game. You have some general expectation
that they're not trying to cause you harm.''
John O'Leary, director of education at the San Francisco-based
Computer Security Institute, says companies have more to fear from
insiders in general because they know where the weak points in the
network are, and where the critical information is stored. But he adds
that executives have far more to fear from IT workers, because they
not only know how to get to the information but have the tools and the
access rights to do it easily.
''It's easy [to do] because we give our techs a lot of trust, but it's
difficult because we generally put compensating controls in place,''
says O'Leary. ''Other [people] need to edit what these guys are doing.
Someone needs to see what changes he made. If he could make changes
without somebody noticing, then something is wrong.''
Maiwald, though, says it's exceedingly difficult for companies to put
in enough processes and controls to completely shut down someone with
system administrator-level authority and access.
''It's only the trusted individuals who can betray you at that level,"
says Maiwald. ''If someone is digging ditches for you, they don't have
a lot of power. But your system administrator has a lot of power
because it's part of the job. If you put too many controls on them,
they can't do their jobs... There are controls that can be put in
place to do such things but they require a company to be very
watchful, along with additional staff, [and] specific procedures. And
it's just not very easy to do that.''
The Duronio Case
In this case, the government alleges that Duronio was a trusted
employee - one with great access and authority -- who used that
against PaineWebber. The charge of computer intrusion is based on the
government's allegations that Duronio built the code for the logic
bomb, installed it on Unix machines in PaineWebber's central office in
Weehawkin, N.J., and then pushed it out to about 1,000 computers
across the company's national network. Wolfe says the malicious code
was planted ''from coast to coast."
The logic bomb, which was made up of only 50 to 70 lines of code, was
built to delete every file on the system, according to the
prosecution. Duronio, who quit his job at PaineWebber a few weeks
before the bomb went off, also allegedly planted the code on the
system's backup servers so that when IT workers tried to restore
operations using backup tapes, those files were deleted as well. The
bomb was designed to go off every Monday at 9:30 a.m. - just as the
stock market opened - in March, April and May of 2002.
Trading, the lifeblood of the company, was interrupted because of the
crippled network. PaineWebber reported to the government that trading
was hindered for a few days in larger locations, and for as long as a
few weeks in some branch offices. According to the prosecution, 350
IBM support personnel were brought in to aid with the nationwide
recovery effort.
''Could they trade? Yes. Could they trade the way they normally
traded? No,'' says Wolfe. ''Normally... the broker would sit at his
desk and go online and trade for you... If the client didn't know what
the balance of their account was, they couldn't trade for them.''
The government also contends that Duronio planted the code piecemeal
during the previous November and December from a remote location.
Wolfe says records show that Duronio's password and user account
information were used to gain remote access to the areas where the
malicious code was built inside the PaineWebber network. The U.S.
Secret Service, which is frequently called in to conduct criminal
investigations and specifically cyber crime, executed a warrant on
March 21, 2002, and allegedly found hard copy of the logic bomb's
source code on the defendant's bedroom dresser. They also allegedly
found the source code on two of his four home computers.
''The defendant used the information of the impending logic bomb
attack,'' says Wolfe. ''He purchased securities. He bet against the
company that the company stock would drop... He engaged in an artifice
or scheme to fraud investors.''
Computer sabotage is a federal offense if it affects a computer used
in interstate commerce and causes more than $5,000 worth of damage to
the company over a 12-month span. Duronio faces a maximim sentence of
30 years, fines of up to $1 million and restitution for the $3.2
million PaineWebber spent on recovery.
From isn at c4i.org Mon Jun 5 04:26:32 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:26:32 -0500 (CDT)
Subject: [ISN] Swedish police probe site crash
Message-ID:
http://news.com.com/Swedish+police+probe+site+crash/2100-7349_3-6079740.html
By Reuters
June 4, 2006
Sweden's domestic intelligence agency said it would probe why the
government's Web site crashed on Sunday amid reports hackers had
sought revenge for a crackdown on alleged online piracy.
The government Web site went off line in the early hours of Sunday.
The Internet home page of the national police crashed in similar
fashion on Thursday.
The police Web site problem came a day after the Pirate Bay Internet
page, which the recording industry calls a major source for
downloading pirated music and films, was shut by police.
"They (the government) contacted us and wanted to make a police
complaint that something has happened with their home page and it is
now a question for us investigate if it is a crime or something else,"
said Anders Thornberg, a spokesman for the Security Police
intelligence agency.
Local media said hackers attacked both sites, now functioning again,
after the clampdown on Pirate Bay. Pirate Bay is also up and running
again.
Sweden's Emergency Management Agency earlier warned all 31 bodies
involved in emergency management, such as the police and rescue
services, and all 21 local authorities to ensure they were safe from
attacks on their Web sites.
Newspaper Aftonbladet quoted a group called World Wide Hackers as
saying they had arranged an attack on the government's Web site.
Sweden last year banned the downloading of copyright protected music
and movies from the Internet after being singled out for criticism by
Hollywood. The raid on Pirate Bay was the latest of several actions
against suspected online piracy.
Critics say the police are heavy handed and that people should have
access to free information via the Internet, including file sharing.
Several hundred people demonstrated in Stockholm on Saturday in
support of Pirate Bay.
Story Copyright ? 2006 Reuters Limited. All rights reserved.
From isn at c4i.org Mon Jun 5 04:26:55 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:26:55 -0500 (CDT)
Subject: [ISN] DISA seeks input on insider threat tools
Message-ID:
http://www.fcw.com/article94741-06-02-06-Web
By Bob Brewin
June 2, 2006
The Defense Information Systems Agency wants industry input on tools
that could counter insider threats to Defense Department information
systems.
DISA said traditional efforts to secure networks focus on outside
threats, but insiders pose an equally damaging threat. And they can
access DOD networks without detection by the security systems.
DISA, in a request for information released June 1 [1], said it is
looking for an insider threat focused observation tool that could be
deployed on selected host DOD machines to aggressively gather and
analyze data on inside threats.
DISA said the insider threat tools would enhance the network security
of DOD information systems.
The agency would install the host machines on network end points and
could be servers, desktop PCs or laptop PCs equipped with agent-based
tools that can monitor insider network activity. The tool would
collect data such as user IDs, computer type and the processes -
e-mail clients, Web browsers, office management tools, database access
- that monitored computers run.
DISA said it wants tools that can then conduct user analysis on the
collected data and warn of anomalies based on user profiles and
behavior patterns.
DISA envisions that the host machines would connect to a central
manager that can handle as many as 250 hosts at a time, with hosts
located within an enclave, such as local-area or base network.
The insider threat tools should also include a console, which is the
central display and action point for collected user data and will
provide the operator with real-time insight into user activity, the
RFI states.
DISA said it wants a tool capable of working with a wide range of
operating systems including Microsoft Windows 2000, Windows XP,
Windows NT4, Sun Microsystems Solaris, Unix and Linux.
The due date for RFI responses is July 5.
[1] http://www.fbo.gov/spg/DISA/D4AD/DITCO/RFI418/listing.html
From isn at c4i.org Mon Jun 5 04:27:12 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 5 Jun 2006 03:27:12 -0500 (CDT)
Subject: [ISN] BACK TO THE BUNKER
Message-ID:
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/02/AR2006060201410.html
By William M. Arkin
The Washington Post
June 4, 2006
On Monday, June 19, about 4,000 government workers representing more
than 50 federal agencies from the State Department to the Commodity
Futures Trading Commission will say goodbye to their families and set
off for dozens of classified emergency facilities stretching from the
Maryland and Virginia suburbs to the foothills of the Alleghenies.
They will take to the bunkers in an "evacuation" that my sources
describe as the largest "continuity of government" exercise ever
conducted, a drill intended to prepare the U.S. government for an
event even more catastrophic than the Sept. 11, 2001, attacks.
The exercise is the latest manifestation of an obsession with
government survival that has been a hallmark of the Bush
administration since 9/11, a focus of enormous and often absurd time,
money and effort that has come to echo the worst follies of the Cold
War. The vast secret operation has updated the duck-and-cover
scenarios of the 1950s with state-of-the-art technology -- alerts and
updates delivered by pager and PDA, wireless priority service, video
teleconferencing, remote backups -- to ensure that "essential"
government functions continue undisrupted should a terrorist's nuclear
bomb go off in downtown Washington.
But for all the BlackBerry culture, the outcome is still old-fashioned
black and white: We've spent hundreds of millions of dollars on
alternate facilities, data warehouses and communications, yet no one
can really foretell what would happen to the leadership and
functioning of the federal government in a catastrophe.
After 9/11, The Washington Post reported that President Bush had set
up a shadow government of about 100 senior civilian managers to live
and work outside Washington on a rotating basis to ensure the
continuity of national security. Since then, a program once focused on
presidential succession and civilian control of U.S. nuclear weapons
has been expanded to encompass the entire government. From the
Department of Education to the Small Business Administration to the
National Archives, every department and agency is now required to plan
for continuity outside Washington.
Yet according to scores of documents I've obtained and interviews with
half a dozen sources, there's no greater confidence today that
essential services would be maintained in a disaster. And no one
really knows how an evacuation would even be physically possible.
Moreover, since 9/11 and Hurricane Katrina, the definition of what
constitutes an "essential" government function has been expanded so
ridiculously beyond core national security functions -- do we really
need patent and trademark processing in the middle of a nuclear
holocaust? -- that the term has become meaningless. The intent of the
government effort may be laudable, even necessary, but a
hyper-centralized approach based on the Cold War model of evacuations
and bunkering makes it practically worthless.
That the continuity program is so poorly conceived, and poorly run,
should come as no surprise. That's because the same Federal Emergency
Management Agency that failed New Orleans after Katrina, an agency
that a Senate investigating committee has pronounced "in shambles and
beyond repair," is in charge of this enormous effort to plan for the
U.S. government's survival.
Continuity programs began in the early 1950s, when the threat of
nuclear war moved the administration of President Harry S. Truman to
begin planning for emergency government functions and civil defense.
Evacuation bunkers were built, and an incredibly complex and secretive
shadow government program was created.
At its height, the grand era of continuity boasted the fully
operational Mount Weather, a civilian bunker built along the crest of
Virginia's Blue Ridge, to which most agency heads would evacuate; the
Greenbrier hotel complex and bunker in West Virginia, where Congress
would shelter; and Raven Rock, or Site R, a national security bunker
bored into granite along the Pennsylvania-Maryland border near Camp
David, where the Joint Chiefs of Staff would command a protracted
nuclear war. Special communications networks were built, and
evacuation and succession procedures were practiced continually.
When the Soviet Union crumbled, the program became a Cold War
curiosity: Then-Defense Secretary Dick Cheney ordered Raven Rock into
caretaker status in 1991. The Greenbrier bunker was shuttered and a
30-year-old special access program was declassified three years later.
Then came the terrorist attacks of the mid-1990s and the looming Y2K
rollover, and suddenly continuity wasn't only for nuclear war anymore.
On Oct. 21, 1998, President Bill Clinton signed Presidential Decision
Directive 67, "Enduring Constitutional Government and Continuity of
Government Operations." No longer would only the very few elite
leaders responsible for national security be covered. Instead, every
single government department and agency was directed to see to it that
they could resume critical functions within 12 hours of a warning, and
keep their operations running at emergency facilities for up to 30
days. FEMA was put in charge of this broad new program.
On 9/11, the program was put to the test -- and failed. Not on the
national security side: Vice President Cheney and others in the
national security leadership were smoothly whisked away from the
capital following procedures overseen by the Pentagon and the White
House Military Office. But like the mass of Washingtonians, officials
from other agencies found themselves virtually on their own, unsure of
where to go or what to do, or whom to contact for the answers.
In the aftermath, the federal government was told to reinvigorate its
continuity efforts. Bush approved lines of succession for civil
agencies. Cabinet departments and agencies were assigned specific
emergency responsibilities. FEMA issued new preparedness guidelines
and oversaw training. A National Capital Region continuity working
group established in 1999, comprising six White House groups, 15
departments and 61 agencies, met to coordinate.
But all the frenetic activity did not produce a government prepared
for the worst. A year after 9/11, and almost three years after the
deadline set in Clinton's 1998 directive, the Government Accounting
Office evaluated 38 agencies and found that not one had addressed all
the issues it had been ordered to. A 2004 GAO audit of 34 government
continuity-of-operations plans found total confusion on the question
of essential functions. One unnamed organization listed 399 such
functions. A department included providing "speeches and articles for
the Secretary and Deputy Secretary" among its essential duties, while
neglecting many of its central programs.
The confusion and absurdity have continued, according to documents
I've collected over the past few years. In June 2004, FEMA told
federal agencies that essential services in a catastrophe would
include not only such obvious ones as electric power generation and
disaster relief but also patent and trademark processing, student aid
and passport processing. A month earlier, FEMA had told states and
local communities that library services should be counted as essential
along with fire protection and law enforcement.
None of this can be heartening to Americans who want to believe that
in a crisis, their government can distinguish between what is truly
essential and what isn't -- and provide it.
Just two years ago, an exercise called Forward Challenge '04 pointed
up the danger of making everyone and everything essential: Barely an
hour after agencies were due to arrive at their relocation sites, the
Office of Management and Budget asked the reconstituted government to
identify emergency funding requirements.
As one after-action report for the exercise later put it in a classic
case of understatement: "It was not clear . . . whether this would be
a realistic request at that stage of an emergency."
This year's exercise, Forward Challenge '06, will be the third major
interagency continuity exercise since 9/11. Larger than Forward
Challenge '04 and the Pinnacle exercise held last year, it requires 31
departments and agencies (including FEMA) to relocate. Fifty to 60 are
expected to take part.
According to government sources, the exercise will test the newly
created continuity of government alert conditions -- called COGCONs --
that emulate the DEFCONs of the national security community. Forward
Challenge will begin with a series of alerts via BlackBerry and pager
to key officials. It will test COGCON 1, the highest level of
preparedness, in which each department and agency is required to have
at least one person in its chain of command and sufficient staffing at
alternate operating facilities to perform essential functions.
Though key White House officials and military leadership would be
relocated via the Pentagon's Joint Emergency Evacuation Program
(JEEP), the civilians are on their own to make it to their designated
evacuation points.
But fear not: Each organization's COOP, or continuity of operations
plan, details the best routes to the emergency locations. The plans
even spell out what evacuees should take with them (recommended items:
a combination lock, a flashlight, two towels and a small box of
washing powder).
Can such an exercise, announced well in advance, hope to re-create any
of the tensions and fears of a real crisis? How do you simulate the
experience of driving through blazing, radiated, panic-stricken
streets to emergency bunker sites miles away?
As the Energy Department stated in its review of Forward Challenge
'04, "a method needs to be devised to realistically test the ability
of . . . federal offices to relocate to their COOP sites using a
scenario that simulates . . . the monumental challenges that would be
involved in evacuating the city."
With its new plans and procedures, Washington may think it has thought
of everything to save itself. Forward Challenge will no doubt be
deemed a success, and officials will pronounce the
continuity-of-government project sound. There will be lessons to be
learned that will justify more millions of dollars and more work in
the infinite effort to guarantee order out of chaos.
But the main defect -- a bunker mentality that considers too many
people and too many jobs "essential" -- will remain unchallenged.
-=-
William M. Arkin writes the Early Warning blog for washingtonpost.com
and is the author of "Code Names: Deciphering U.S. Military Plans,
Programs and Operations in the 9/11 World" (Steerforth Press).
? 2006 The Washington Post Company
From isn at c4i.org Tue Jun 6 06:03:36 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 6 Jun 2006 05:03:36 -0500 (CDT)
Subject: [ISN] Spammer settles suit for $1 million
Message-ID:
http://news.com.com/2100-7348_3-6079868.html
By Will Sturgeon
Special to CNET News.com
June 5, 2006
A major spammer who was accused of sending up to 25 million e-mails
per day has settled a lawsuit with Microsoft and the state of Texas.
The settlement has cost Ryan Pitylak $1 million, as well as the
seizure of many of the assets he accumulated during a short-lived
career as one of the world's worst spammers.
At the peak of his spamming activity, the 24-year-old Texas resident
was listed as the world's fourth most-prolific spammer by antispam
group Spamhaus.
Now Pitylak is claiming something of an epiphany, saying he has seen
the error of his ways and will dedicate his efforts to trying to rid
the world of nuisance e-mail. He has even taken to referring to
himself as an "antispam activist" in an apparent change of heart of
epic proportions.
On Saturday, Pitylak wrote in his blog: "Over time I have come to see
how I was wrong to think of spam as just a game of cat and mouse with
corporate e-mail administrators. I now understand why so much effort
is put into stopping it. The settlements with Microsoft and the
Attorney General's Office have been a serious reality check: harsh but
good, and in the public's best interest."
He added: "I am pleased to announce that I am now a part of the
anti-spam community, having started an Internet security company that
offers my clients advice on systems to protect against spam. I'm now
working earnestly to help other entrepreneurs avoid the traps that
deceived me and led me to make questionable business choices."
Will Sturgeon of Silicon.com reported from London.
From isn at c4i.org Tue Jun 6 06:03:03 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 6 Jun 2006 05:03:03 -0500 (CDT)
Subject: [ISN] Wal-Mart's data center remains mystery
Message-ID:
http://www.joplinglobe.com/local/local_story_148015054/
By Max McCoy
The Joplin Globe
Globe Investigative Writer
May 28, 2006
JANE, Mo. - Call it Area 71.
Behind a fence topped with razor wire just off U.S. Highway 71 is a
bunker of a building that Wal-Mart considers so secret that it won't
even let the county assessor inside without a nondisclosure agreement.
The 125,000-square-foot building, tucked behind a new Wal-Mart
Supercenter, is only a stone's throw from the Arkansas line and about
15 miles from corporate headquarters in Bentonville, Ark.
There is nothing about the building to give even a hint that Wal-Mart
owns it.
Despite the glimpses through the fence of manicured grass and
carefully placed trees, the overall impression is that this is a
secure site that could withstand just about anything. Earth is packed
against the sides. The green roof - meant, perhaps, to blend into the
surrounding Ozarks hills - bristles with dish antennas. On one of the
heavy steel gates at the guardhouse is a notice that visitors must use
the intercom for assistance.
What the building houses is a mystery.
Speculation
Wal-Mart's ability to crunch numbers is a favorite of conspiracy
theorists, and its data centers are the corporate counterpart to Area
51 at Groom Lake in the state of Nevada. According to one consumer
activist, Katherine Albrecht, even the wildest conspiracy buff might
be surprised at just how much Wal-Mart knows about its customers - and
how much more it would like to know.
"We were contacted about two years ago by somebody who runs a security
company that had been asked in a request for proposals for ways they
could link video footage with customers paying for their purchases,"
Albrecht said. "Wal-Mart would actually be able to view photos and
video of customers paying, say, for a pack of gum. At the time, it
struck me as unbelievably outlandish because of the amount of data
storage required."
But Wal-Mart, according to a 2004 New York Times article, had enough
storage capacity to contain twice the amount of all the information
available on the Internet. For the technically minded, the exact
amount was for 460 terabytes of data. The prefix tera comes from the
Greek word for monster, and a terabyte is a trillion bytes, the basic
unit of computer storage.
Albrecht, founder of Consumers Against Supermarket Privacy Invasion
and Numbering, said she never could confirm the contractor's story.
That is not surprising, since Wal-Mart seldom comments on its data
capabilities and operations.
A Globe request for information about the Jane data center was
referred at Wal-Mart headquarters to Carrie Thum, a senior information
officer and former lobbyist for the retailer.
"This is not something that we discuss publicly," Thum said. "We have
no comment. And that's off the record."
Skeleton crew
The Jane data center is an enigmatic icon to the power of data, which
has helped Wal-Mart become the largest retailer in the world, and to
the corporation's growing secrecy since founder Sam Walton's death in
1992. When Wal-Mart constructed its primary data center at corporate
headquarters in 1989, it wasn't much of a secret: It was the largest
poured concrete structure in Arkansas at the time, and Walton himself
ordered a third story.
"Not only had we completely designed it, we were under construction,"
said Bill Ferguson, a founder of Askew Nixon Ferguson Architects in
Memphis, Tenn. "They were pouring foundations, and Sam walked across
the parking lot one Friday at the end of the day and said, 'You know,
let's add a third floor and put some people up there.'"
Ferguson said the Bentonville data center is built on bedrock and is
designed to withstand most natural and man-made disasters, but is not
impregnable. The biggest danger, he said, is the area's frequently
violent thunderstorms.
"We studied making it tornado-proof, which is difficult," he said. "We
calculated the probability of a category 5 tornado hitting it, which
was less likely than an airplane crashing into it head-on. At the
time, they decided not to."
Since then, Ferguson said, changes have been made to increase the
integrity of the structure. The data center was designed with backup
generators, fuel on site, and room and board for a skeleton crew in
the event an emergency required an extended stay.
Ferguson said his firm learned to design data centers by working with
FedEx, which also is based in Memphis, and that the 1989 Wal-Mart data
center was built so that it could communicate via any means available
- including copper wire, fiber optics and satellites.
The firm no longer works with Wal-Mart, and Ferguson said he had no
knowledge of the design or purpose of the data center in Jane. But he
suggested that Jim Liles, a Memphis engineer, might know.
Liles said he was a consultant on the Jane project, and that Crossland
Construction was the contractor, but he was reluctant to say much
else. "As far as what its purpose is, all that has to come from
Wal-Mart," Liles said.
Crossland Construction, based in Columbus, Kan., said Tim Oelke of the
company's Rogers, Ark., office had been in charge. Oelke did not
return a phone call seeking comment.
'Never saw a plan'
The data center was completed in 2004 and was part of a project that
included the Supercenter, which opened early last year, and a
warehouse. The resulting economic impact on McDonald County, known for
its rolling hills and lazy rivers, is difficult to underestimate, said
Rusty Enlow.
"Just a few years ago, one new store would have been a big deal,"
Enlow said. "And I'm not talking about a Supercenter. Just a gas
station would have generated excitement."
Now, Enlow said, the county's tax base has doubled, and land is going
for about $2,100 an acre, about twice what it was before the project
was announced in 2001.
Enlow is chairman of the county planning commission, a body created by
popular vote in 1964 but which had not met until this month. Enlow
said he doesn't know why the commission never met, but he believes it
was because whatever problem prompted its creation was solved before
the board was appointed. He also said he's not sure the planning
commission has any real authority, or would want any (there is no
zoning in the county), but that he and the other 18 members are eager
to bring even more business into the county.
"It seems with the opening of that store there has just been a lot of
activity," he said. "McDonald County has always been a poor county,
but we are in an excellent position now. We're a friendly place, and
we're open to things."
Wal-Mart, Enlow said, had created a business synergy that was helping
the county of 22,000 shed its hillbilly stereotype.
Enlow was director of the McDonald County Economic Development Council
when Wal-Mart quietly began scouting for land. Only after the land had
been bought south of the then-unincorporated community of Jane was it
announced that the project was Wal-Mart's, and even then, plans for
the data center were closely held.
"I never even saw a plan on it," Enlow said.
But Enlow said he watched during the construction of the data center,
and that it appeared to be a single-story building that was built
"like a bunker," with mounds of earth piled against the sides. He
later was told that it would employ 15 to 20 people, and that the
building was for data storage.
To facilitate the project, the Missouri Department of Transportation
agreed to widen Highway 71 to four lanes from Jane to the Arkansas
line; a grant was used to expand the public water district; and the
Army Corps of Engineers approved a request to fill in a small portion
of wetland along Bear Hollow Road.
Meanwhile, the village of Jane incorporated.
In April 2005, Wal-Mart used the 160,000-square-foot Supercenter to
demonstrate its micro-merchandising capabilities as part of a media
conference. Employees demonstrated hand-held Telxon (pronounced
Tel-zon) computers, which resemble hand scanners but hold a year's
worth of a particular store's sales history on every item. The devices
help store managers decide what to stock.
Bananas are Wal-Mart's best-selling produce product nationwide, but at
Jane, the top seller was lettuce, Supermarket News reported after the
event.
'Secretive'
Bill Wilson, McDonald County presiding commissioner, said he has never
been inside the green-roofed data center, and that to his knowledge,
only one county official has: Assessor Laura Pope.
"I had to sign a document saying that I wouldn't talk about what's in
there," Pope said. "I've never been in a situation to tour anything
like that before. I don't want to be secretive about it. Basically, it
houses computer equipment."
Pope said she had never been asked to sign a nondisclosure agreement
before in her job as assessor, and that she didn't keep a copy. She
said she didn't appraise the building and equipment, but rather came
to an agreement with Wal-Mart on what it was worth.
They agreed that the data center would be worth $10.7 million at fair
market value, she said. The equipment inside the center was judged to
be worth nearly three times as much: $31.7 million.
The taxes that Wal-Mart paid last year on the data center totaled just
more than $500,000: $128,091 for the real estate and $373,091 for the
equipment.
Pope said she did not place a value on the data stored at the
building. At an estimated worth of $42.4 million, is the Wal-Mart data
center at Jane important enough to the infrastructure of the state -
or the country - to be on Missouri's list of critical assets?
Paul Fennewald, Missouri Homeland Security coordinator, said the list
is confidential, and that he could neither confirm nor deny that the
Jane building is on it. He did say that the list includes 4,000 to
4,500 sites across the state.
'Retail surveillance'
Albrecht, the consumer activist, said that when the contractor came to
her with the story about Wal-Mart wanting to biometrically identify
customers through video, one of the reasons given was to help law
enforcement.
"You could search for all sales of a particular kind of rope and get a
photo of who bought it," she said. "On the other end, you could
research all of the purchases of a particular individual, even if they
paid in cash."
Albrecht is the co-author of "Spychips," about the use of RFID, or
radio frequency identification devices, by the government and
corporations to track individuals. She lives in Nashua, N.H., and is
getting ready to receive a doctorate of education in consumer
education.
"To the best of our knowledge, the only consumer-level item that is
(RFID) tagged at Wal-Mart are Hewlett-Packard products and some Sanyo
television sets," she said. "Now, the privacy implications of that are
fairly trivial, because you're not going to be walking down the street
carrying your printer box in your back pocket."
But in 2003, she said, Wal-Mart did two experiments using RFID on
smaller items: razor blades and lipstick.
At Brockton, Mass., Albrecht said, the company used a surveillance
camera on a shelf that was linked to chips in packages of razor
blades. When someone picked up a package, she said, the shelf camera
would be activated. Another camera would take a mug shot of the
customer at the checkout stand.
At Broken Arrow, Okla., she said, the company linked devices in
packages of lipstick that triggered a camera that allowed the lipstick
manufacturer to watch consumers on live video.
The experiments apparently were aimed at decreasing theft or for use
in merchandise research, she said. "Since 1999, I've been working on a
phenomenon called retail surveillance, which is a whole panoply of
technologies that are being secretly deployed," she said. "I think
most people, when they learn about these technologies, are quite
disturbed. There's a sense that when you enter a retail space, you
should retain some degree of privacy."
But, Albrecht said, there's a push among retailers to collect as much
information about their customers as possible - and to keep the
lower-profit individuals, known as "barnacles" and "bottom-feeders,"
away.
"There's a lot of hand-wringing about how we can find out even more
about our customers," she said. "And to the extent that Wal-Mart may
be creating the ability to monitor consumers by RFID and identify them
by video, I'm extremely concerned. ... If that's the case, they would
need that kind of data storage."
Wal-Mart's stand on RFID
"Electronic product codes (EPCs) can best be described as the next
generation of bar codes. Unlike current bar codes, which only share
that a carton contains product XYZ, EPCs can identify one box of
product XYZ from another box of product XYZ.
"This is possible because EPCs are powered by radio frequency
identification or RFID. EPCs do not track customers. ... EPCs assist
retailers in more closely monitoring where products are as they move
from manufacturers to warehouses to a store's backroom.
"This helps us do a better job of having the right products on the
shelves when you come to buy them."
Source: www.walmart.com
From isn at c4i.org Tue Jun 6 06:03:25 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 6 Jun 2006 05:03:25 -0500 (CDT)
Subject: [ISN] Cybercrime spurs college courses in digital forensics
Message-ID:
http://www.usatoday.com/tech/news/techinnovations/2006-06-05-digital-forensics_x.htm
By Jon Swartz
USA TODAY
6/5/2006
SAN FRANCISCO - One of the hottest new courses on U.S. college
campuses is a direct result of cybercrime.
Classes in digital forensics - the collection, examination and
presentation of digitally stored evidence in criminal and civil
investigations - are cropping up as fast as the hackers and viruses
that spawn them.
About 100 colleges and universities offer undergraduate and graduate
courses in digital forensics, with a few offering majors. There are
programs at Purdue University, Johns Hopkins University, the
University of Tulsa, Carnegie Mellon University and the University of
Central Florida. Five years ago, there were only a handful.
"I teach students to be like (TV supersleuth) MacGyver," says Sujeet
Shenoi, a computer science professor at the University of Tulsa.
Traditional students, police officers, government employees and
aspiring security consultants are taking the courses as more crooks
stash ill-gotten data and goods on PCs, PDAs, cellphones, network
servers, iPods and even Xboxes.
Students learn where to find digital evidence and handle it without
contaminating it. Once preserved, students are shown how to examine
evidence and present it clearly during court testimony. "If you revert
to geek speak, you can lose a judge, jury and prosecutor," says Mark
Pollitt, a digital forensics professor at Johns Hopkins University who
retired in 2003 after 20 years as an FBI agent.
Digital forensics is considered a crucial weapon in law enforcement's
escalating war against computer-related crimes. The science is used in
criminal investigations; civil cases such as employment lawsuits where
personnel records and e-mail correspondence are sought; and by
companies faced with cyberattacks. Plus, there are evolving state and
federal laws that define how evidence is handled in civil cases.
The evidence is particularly important in the seizure of data for
child pornography cases, which comprise a majority of criminal
investigations in the USA, says Marcus Rogers, an associate professor
who heads the computer forensics program at Purdue University's
College of Technology.
The FBI handled more than 9,500 computer forensics cases in fiscal
year 2005, which ended in September, compared with about 3,600 in
fiscal 2000, according to an FBI briefing.
The crush of cases has domestic intelligence agencies such as the
National Security Agency and the CIA, local law-enforcement officials
and companies clamoring for experts in finding and preserving digital
evidence, security experts says. "There is a thirst in government
agencies for (cyberinvestigators)," Pollitt says. There appear to be
no shortage of suitors. Since he enrolled in Purdue's master's program
last fall, Blair Gillam says he has been approached by recruiters
representing government agencies and the private sector.
From isn at c4i.org Tue Jun 6 06:04:01 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 6 Jun 2006 05:04:01 -0500 (CDT)
Subject: [ISN] REVIEW: "Perfect Passwords", Mark Burnett
Message-ID:
Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah"
BKPRFPWD.RVW 20060420
"Perfect Passwords", Mark Burnett, 2006, 1-59749-041-5,
U$24.95/C$34.95
%A Mark Burnett
%C 800 Hingham Street, Rockland, MA 02370
%D 2006
%G 1-59749-041-5
%I Syngress Media, Inc.
%O U$24.95/C$34.95 781-681-5151 fax: 781-681-3585 amy at syngress.com
%O http://www.amazon.com/exec/obidos/ASIN/1597490415/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1597490415/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/1597490415/robsladesin03-20
%O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P 181 p.
%T "Perfect Passwords: Selection, Protection, Authentication"
Those of us in the security field know that users are generally bad at
creating passwords, and that passwords that are easily guessed or
found account for huge numbers of security incidents. Therefore, I am
in full sympathy with a book that attempts to lay out some guidance on
password choice. However, Burnett's work calls to mind the old joke
that lists all kinds of restrictions on password selection, and
finally admits that only one possible password actually fits the
criteria, and will all users please contact tech support to be issued
with that password.
Chapter one tells us that people choose weak passwords, and gives a
number of lists of such poor choices, without an awful lot of
explanation. (Burnett also states that the choice of strong passwords
provides non-repudiation, which is a rather strange position. One
could make a case that the deliberate choice of a vulnerable password
would allow the user to later claim that their account had been
hacked, and therefore assist with repudiation, but the reverse doesn't
necessarily hold.) Various types of password cracking techniques are
given in chapter two. This begins to show the inconsistencies and
contradictions that plague the text: at one point we are told that any
password less than fifteen characters is "immediately" available to
attackers, but elsewhere it is suggested that a ten character password
is a wise choice. (Although brute force cracking is discussed
extensively, there is, oddly, no mention of the implications of
Moore's Law.) There is a good discussion of the vital issue of
randomness in chapter three, although there are numerous gaps, and,
again, erratic suggestions. Chapter four covers character sets and
address space. Unfortunately, it is rather impractical (as are other
areas of the manual) due to a lack of recognition of character
restrictions. Password length is addressed in chapter five, covering
many of the same concepts as in four. It is also the most useful of
the material to this point in the book, suggesting ways to lengthen
and harden passwords already chosen and preferred. (Some of the
advice is suspect: bracketing is easy to add to automated password
cracking programs, and even Burnett admits that "colorization" is a
weak idea due to the limitations on selection.) Chapter six takes an
extremely terse and abbreviated look at password aging, but all that
is really said is that it is inconvenient. Miscellaneous advice about
using, remembering, storing, and managing passwords is given in
chapter seven. Chapter eight provides password creations tips, but
these are, after some of the previous material in the book, rather
weak, and typically boil down to the use of passphrases and long
passwords. Five hundred weak passwords are listed in chapter nine,
but the purpose of the list is not clear. As with chapter one, the
passwords are not analysed for strength in any way, and, even if you
want to check your favourite against the list, it isn't in
alphabetical order. Additional password creation tips are in chapter
ten, these slightly more useful. We are told, in chapter eleven, to
make complex passwords, uncommon passwords, and not to tell anyone our
passwords. Chapter twelve suggests having a regular "password day"
set aside to concentrate on changing passwords and creating strong
ones. Other forms of authentication are discussed in chapter
thirteen.
While the advice and information given in the book is not bad, it
seems to posit a fairly ideal world. A number of practical items can
assist users with password choice, but a number of realistic
considerations are ignored. Readers may also be confused by the lack
of constancy in the recommendations. Certainly the structure of the
text could use work: concepts are repeated in different chapters, and
the advice seems to be aggregated and presented at random.
There is good advice in this manual, but it lacks focus. The average
computer user would probably receive a lot of benefit, but is unlikely
to purchase or read anything this size on this topic. (A pocket sized
volume, along the lines of the O'Reilly "Desktop Reference" series
would be ideal.) System administrators would be able to understand
and use the material in the book, although much of the content is
either known or available. On balance, I would recommend that this
primer is important, but definitely needs work.
copyright Robert M. Slade, 2006 BKPRFPWD.RVW 20060420
====================== (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org
"Dictionary of Information Security" Syngress (forthcoming) 1597491152
Any fool can criticize, condemn and complain - and most do.
- Dale Carnegie (1888-1955)
http://victoria.tc.ca/techrev/rms.htm
From isn at c4i.org Tue Jun 6 06:05:23 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 6 Jun 2006 05:05:23 -0500 (CDT)
Subject: [ISN] Oracle mends fences with security researchers
Message-ID:
http://computerworld.co.nz/news.nsf/0/FB208DAE086D24ABCC2571810014C73E?OpenDocument
By Robert McMillan
San Francisco
6 June, 2006
Oracle once marketed its database as "unbreakable," but security
researcher David Litchfield has a less inflated opinion of the
software.
"God forbid that any of our critical national infrastructure runs on
this product," he said recently on the widely read Bugtraq security
mailing list. "Oops it does."
Security researchers like Litchfield, managing director of Next
Generation Security Software, based in Sutton, UK, make their living
finding flaws in other people's software. And, while this can put them
at odds with software makers, the relationship between Oracle and
people like Litchfield has been particularly bad.
In Litchfield's case, the problems go back to 2004, when he published
details of an unpatched Oracle vulnerability in a presentation written
for the Black Hat security conference. By Litchfield's account, Oracle
had given him the go-ahead to discuss the vulnerability, but changed
its mind at the last minute. Litchfield changed the topic of his
presentation, but he was unable to remove his slides from the
conference hand-out.
The next day, the Wall Street Journal wrote about the flaws and, ever
since, the relationship between Oracle and the tight network of
security researchers who hack its products has been tense.
This antagonism has prevented Oracle from receiving the independent
testing and security advice that would have improved its products,
says Cesar Cerrudo, chief executive officer of security research firm
Argeniss, based in Parana, Argentina. "Oracle has ignored researchers
and also attacked them, saying that researchers are the problem," he
says. "The problem is Oracle's flawed software and Oracle's amateur
handling of security related issues."
From Oracle's perspective, researchers like Litchfield profit from
the publicity they get for exposing Oracle's security flaws, but that
exposure comes at a price: more risk for Oracle's customers.
There is often little upside to cooperating with companies that do not
understand Oracle and who profit from publishing security
vulnerabilities, according to Oracle's chief security officer, Mary
Ann Davidson.
"What I really want is a world where there can be fair and accurate
criticism," she says. "I'm all for dialogue, but you have to establish
trust."
In the past few months, however, there have been a few signs that
things may be changing at the Redwood Shores, California, company.
Oracle is becoming better at communicating with the research
community, says Darius Wiles, manager of Oracle Security Alerts.
Wiles' team is now working out a new system which will let bug
reporters outside the company know they are not being ignored. "Once a
month, going forward, we'll provide them with a list of everything
that has not yet been fixed and indicate whether it's still under
investigation or whether it's been fixed."
Taking a cue from Microsoft, Oracle has even launched its own security
blog and Oracle no longer talks about its products as being
unbreakable. Davidson says that the first time she heard the marketing
slogan, she thought, "What idiot dreamed this up?" This outreach is
starting to pay off. Earlier this month, Litchfield wrote an
uncharacteristically positive Bugtraq posting about the company.
He says that he believes Oracle's products are becoming more secure
and even had some praise for his long-time nemesis, Davidson. "Another
thing that struck me was the amount of effort and time that it must
have taken to get a lumbering stegosaurus of a beast like Oracle to
turn around," he wrote. "Dare I say it, well done, Mary."
Though Oracle executives may not like having their company compared to
a Jurassic era dinosaur, this is far and away the most complimentary
Litchfield has been since the Black Hat presentation.
Still, the database giant is unwilling to go as far as its competitor
Microsoft in embracing the so-called "white hat" hackers. Microsoft
has invited researchers, including Litchfield and Cerrudo, to its
Redmond, Washington, campus for twice-yearly hacker conferences,
called Blue Hat.
Microsoft says that Blue Hat helps them make their products more
secure, but don't expect Oracle to invite hackers over to Redwood
Shores, California, anytime soon. Such an event is really not
necessary, Davidson says. "Microsoft had to go with the hacker love
fest model because they're a big target," she says.
Davidson believes that Oracle and Microsoft have very different
pedigrees when it comes to security. She says that security has been
built into the development of Oracle's products for years now, a
by-product of its long history of government use. The US Central
Intelligence Agency was one of Oracle's first customers, she claims.
Oracle's security team doesn't simply fix bugs. When a new flaw is
discovered, researchers make sure that what they've learned also
translates into secure coding practices for the development team. "For
at least 12 years we have built security into the formal development
process," Davidson says.
While Oracle has improved the security of some products, like the
recent Oracle 10g Release 2 database, the company still has a lot of
work to do, says Cerrudo.
"They said recently that they will change the way they communicate
with researchers, giving more feedback information, but nothing has
happened yet," he says. "Right now the only feedback you get is the
day before a patch is released they [tell] you your bug is going to be
patched and nothing else."
For all of the Oracle bugs that have been found, there has never been
a widespread Oracle attack like the Slammer worm which disabled
Microsoft SQL Server machines worldwide in 2003.
But some observers say that Oracle's reputation for security has more
to do with the fact that the database is typically buried in the
bowels of datacentres, and hidden behind corporate firewalls, far from
the prying eyes of hackers.
And, while users who have not exposed their databases to queries from
outside partners or customers may not be staying up late at night
worrying about Oracle's security, they do have concerns about the
future.
"We're in a nervous state, but we think it's manageable risk," says
Hal Kuff, a technology services manager with Tessco Technologies, in
Hunt Valley, Maryland.
Users must first be inside Tessco's local area network in order to
query the database, Kuff says. "If we were to pursue an Oracle
environment, where we invited direct connectivity from outside
partners, we would reconsider our security posture."
As these outside connections become more common, thanks to grid
computing and internet applications, outside experts like Litchfield
could become important to Oracle, Kuff says.
"As Oracle becomes more pervasive, they should absolutely explore a
relationship with the so called "white hat" hackers," he says.
"The people that are willing to sit down with them at the table are
one of their only defences against the people who will not sit down
with them at the table."
The pervasiveness Kuff talks about may be closer than many people
realise. Late last year, Litchfield conducted a survey of nearly half
a million computer systems on the internet and found nearly as many
Oracle databases exposed as he did Microsoft SQL server systems.
Extrapolating from his data, Litchfield estimated there were about
140,000 Oracle servers not firewalled on the internet. There are about
210,000 Microsoft SQL Servers similarly unprotected, he says.
"This is just a myth, that Oracle is in the back-end of nowhere
protected by all these firewalls," he says.
Still, like Microsoft, Oracle has reached a turning point and is
clearly making much more secure products, Litchfield says. Finding
bugs has become harder with the latest releases of its database and,
while Litchfield will undoubtedly remain a thorn in Oracle's side, he
realised earlier this month that the time had finally come to soften
his rhetoric.
"I just got weary to be honest," he says. "You see, they will get to
the point of having a secure product at some time - but all without
acknowledging that they were dragged to that point kicking and
screaming."
Copyright ? 2005, IDG Communications New Zealand Limited
From isn at c4i.org Wed Jun 7 01:07:30 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:07:30 -0500 (CDT)
Subject: [ISN] Despite breaches, companies seen as lax on protecting data
Message-ID:
http://www.mercurynews.com/mld/mercurynews/business/technology/14754071.htm
By Aman Batheja
Fort Worth Star Telegram
Jun. 06, 2006
FORT WORTH, Texas - Another week, another huge breach of personal
data.
Dallas-based Hotels.com announced last week that credit-card numbers
and other personal information on about 243,000 of its customers were
on a laptop computer stolen from a car in February.
Last month, the Veterans Affairs Department announced that personal
information of 26.5 million veterans was compromised after a laptop
and disks were stolen from the home of a data analyst. Information on
1.3 million more people who borrowed money through the Texas
Guaranteed Student Loan Corp. was lost in May while in possession of a
contractor.
Despite the growing list of blunders, most companies still aren't
doing enough to protect their customers' data, according to security
experts. The reasons are largely the prohibitive costs of securing
mobile devices and a lack of public concern.
``Until businesses are held accountable ... legally, financially and
by customer demand for protecting that information, they're not in any
strong hurry to make it happen,'' said Rick Fleming, chief technology
officer with Digital Defense, a San Antonio-based network security
firm.
The Hotels.com data breach stems from an audit of the company's
transactions performed by Ernst & Young. The laptop was stolen from
the car of an analyst with the accounting firm. Hotels.com spokesman
Paul Kranhold said the incident occurred in Texas but would not say
where. He would not confirm nor deny news reports that indicated that
the theft occurred in the Dallas area.
The laptop required a password to use it. A file on the computer has
information mostly on customer transactions from 2004, although some
are from 2003 and 2002. The information on the file may have included
customers' names, addresses and some credit- or debit-card
information, according to a statement released by Ernst & Young.
Hotels.com is sending letters to every customer whose data may have
been on the laptop. Ernst & Young has set up a call center to address
questions or concerns involving the incident. The accounting firm has
also arranged for those affected to sign up for a credit-monitoring
service for a full year for free.
The information on the laptop was not encrypted, a practice of
protecting information by transforming it into an unreadable code.
Ernst & Young spokesman Charlie Perkins said the company had begun
installing encryption systems on all of the company's laptops earlier
this year, but the one with the Hotels.com data did not have the
system yet.
Ernst & Young has promised Hotels.com that it will take extra steps to
protect the company's data in the future, including encrypting
sensitive information. It has set up a toll-free phone number to help
those who may be in danger of identity theft: 866-387-2242.
Encryption is one of the most effective and efficient ways of securing
information on a laptop, said Mike Stute, chief technology officer for
Global DataGuard, a security risk-management company in Dallas.
Companies, especially larger ones, are hesitant to spend up to several
hundred dollars per laptop to encrypt data, Stute said.
``The truth is, the $1,000 laptop is trivial compared to the data on
the machine,'' Fleming said. ``I don't understand why every company
doesn't do it.''
Even a good encryption program is only as safe as the person operating
it. A hacker can easily overcome an encryption system that's protected
by a password if the user picked an easy one to guess, Fleming said.
A more secure system includes an encryption token, a small object that
must be plugged into the laptop's USB port to decrypt the information.
That type of system can be extremely effective -- as long as the
laptop and the token are kept apart.
Fleming recalled seeing a man in an airport with an encryption token
taped to his laptop, thereby defeating the purpose of having the token
at all.
A slew of large data breaches have surfaced in the past year mainly
because laws passed in several states now require companies to report
these embarrassing mistakes.
California started the trend of data-breach laws in 2003. The Texas
Breach of Computer Security Statute went into effect in September.
``There's no question that the states are taking the lead on identity
theft,'' said Ed Mierzwinski, consumer program director for the Texas
Public Interest Research Group.
A handful of bills working their way through Congress would make
data-breach notification a national law. Depending on which bill
passes, companies may be required to report any data breaches where
there's a chance for identity theft or fraud, or only when there's a
good chance of misuse of the data.
No matter what laws are passed, Stute doubts that companies will get
more serious about protecting sensitive data until the technology
becomes cheaper and easier to use. He noted that they have little
motivation, considering that most of the major data breaches over the
last year have not appeared to impose any lasting damage to the image
of the company at fault.
``It never seems to stop consumers anyway,'' Stute said. ``It's bad
press, but it doesn't seem to hit home with anybody.''
From isn at c4i.org Wed Jun 7 01:07:44 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:07:44 -0500 (CDT)
Subject: [ISN] Fraidy Cat Marketing
Message-ID:
http://www.forbes.com/home/free_forbes/2006/0605/100.html
By Matthew Rand and David Whelan
06.05.06
To sell antivirus software, first you must sell the fear.
Verisign, the intrepid Web security giant, issued an ominous warning
in December. It predicted an imminent invasion by a worm called Sober,
which would infect networks worldwide and clog up the Internet. It
would be timed to coincide with the 87th anniversary of the founding
of the Nazi party. Other firms joined in a chorus of worry, offering
an abundance of soundbites for news outlets. Then in January dozens
more reports, similarly circulated by security firms, warned that an
e-mailed virus called Kama Sutra would ruin PCs from Seattle to Sri
Lanka.
Neither outbreak ever occurred. Two small security software outfits
claimed credit for blocking Kama Sutra, but Microsoft (nasdaq: MSFT -
news - people ) said later the threat was overblown. Vincent Weafer,
who runs the security response division at Symantec (nasdaq: SYMC -
news - people ), the world's largest seller of antivirus software,
concedes both threats were duds and that his rivals overhyped them.
"To get attention, you pick something new and say the sky's falling
down," he says.
Fear-mongering sparks big business in the thriving computer security
industry. Spending will grow 18% this year to $38 billion. In 1995
venture capitalists backed all of 3 new security firms; last year they
funded 96 newcomers. To stir up business, they ply fearful forecasts
and ominous ads. RSA Security's (nasdaq: RSAS - news - people ) annual
conference in San Jose, Calif. drew 14,000 this year, up from 10,000
in 2004. Some 4,000 attendees paid the full $1,100 to $1,900 to get
spooked in person.
The fetish for fretfulness has gotten old. U.S. losses last year from
corporate security breaches "declined dramatically," say the Computer
Security Institute and the Federal Bureau of Investigation, to $130
million based on a survey of 639 companies. (Other incidents go
undetected because companies are too ashamed to report them.)
Three-quarters of companies said they had some virus problems last
year, but 94% said so in 2001.
The improving stats have done little to lift the security industry's
mood. Symantec recently warned that instant messaging would be the
next source of threats, while flogging a new product that scans
instant messages for viruses. In 2003 it called cell phones "the
Achilles heel," while promoting new wireless products. "Chief
executives are like consumers. They are heavily influenced by what
they see on CNN or in the newspapers," says Symantec's Weafer.
The antivirus warriors lately have conducted surveys to highlight a
glaring security weakness: the gullibility of a company's own
employees. Never mind that even their toughest products can't protect
much against same. Offered the chance to win chocolate Easter eggs,
81% of London commuters polled gave out their birthdays, pet names and
other personal data, possible clues for cracking into their e-mail
accounts. The pollsters were hired by the organizers of the
Infosecurity Europe conference.
Before the same conference two years ago RSA Security performed a
similar stunt and found that 79% of people gave out this kind of
personal information--free. That prompted a press release: "Internet
identity theft threatens to be the next crime wave to hit Britain."
In the U.S., RSA, which sells electronic tokens that generate
randomized passwords, hired a perky team in "I Love NY" T shirts to
scour Central Park and sweet-talk tourists into giving out their
mothers' maiden names; 70% did. Newscasts in San Francisco, Miami and
Boston ran the story. Christopher Young, an RSA vice president,
bristles at any suggestion that the surveys were aimed at stoking
sales. "It's hardly that direct." The surveys, he says, are used only
to "raise awareness."
Some 70% of security breaches are caused by human error, says a March
2006 survey by the Computing Technology Industry Association. Brian
Boetig, a supervisory special agent with the FBI's computer crime unit
in San Jose, Calif., describes the typical breach: "When you fire an
employee and don't change their password, they can get into the system
and get information to a competitor." No technical solution there.
Says Boetig: "There are people creating problems so they can fix them.
But that's marketing for you."
? Forbes.com Inc. - All Rights Reserved
From isn at c4i.org Wed Jun 7 01:08:04 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:08:04 -0500 (CDT)
Subject: [ISN] Commerce sets up IT security education program
Message-ID:
http://www.gcn.com/print/25_14/40927-1.html
By Patience Wait
GCN Staff
06/05/06 issue
The first step toward better information security in the government is
to provide more training for the people responsible for keeping
systems safe.
That's the approach being taken by Nancy DeFrancesco, chief
information security officer for the Commerce Department. With
DeFrancesco as the champion, the department is implementing an
education and training program for its information security
professionals that she hopes will develop into a center of excellence
within the Security Line of Business initiative established by the
Office of Management and Budget.
DeFrancesco convinced the department last month to hire (ISC)2 Inc. of
Palm Harbor, Fla., to provide courses for employees to earn
designations as Certified Information Systems Security Professionals
(CISSP), System Security Certified Professionals (SSCP) and
Certification and Accreditation Professionals (CAP).
"Education is a large part [of our IT budget] because I make it that
way," DeFrancesco said. "I have a commitment from the Secretary of
Commerce [Carlos M. Gutierrez] that it's important."
For the past two years, IT security professionals in the department
had been using the Office of Personnel Management's online learning
center. But DeFrancesco wanted a broader course offering, and she
wanted to give employees different ways to access materials.
Funding issues
"Our component [agencies] were interested in instructor-led training,
and, of course, people learn in different ways," she said.
Getting the funding to set up the educational program was a challenge,
DeFrancesco said. Her office has a small budget; most information
security funds are allocated to the department's major program areas.
To gain the funding, she persuaded component agencies, such as the
Census Bureau, to contribute money to get it off the ground.
"We had great participation - I was very surprised and pleased," she
said. "A solid education program is critical to reaching personnel in
the department with significant information security responsibility."
John Mongeon, head of the government services division at (ISC)2, said
that DeFrancesco's push to set up training and education opportunities
shows that "Commerce is dedicated to building the next generation of
information security managers."
"Commerce is a pretty robust agency, with personnel all over the
place," Mongeon said.
To accommodate the dispersed workforce, his company will be providing
courses through several channels - classes on-site at Commerce
headquarters in Washington, vouchers for employees scattered around
the country to take classes off-site at (ISC)2 public education
venues, and online classes.
The first, one-day class, on the system certification and
accreditation process, was held May 31 at Commerce headquarters. All
the session's 25 slots were filled and DeFrancesco already has a
waiting list for the next offering. The department will hold a week of
information security training the first week of August, and is
planning to schedule other certification and accreditation classes in
June and July.
DeFrancesco said that she is hoping the information security education
program will prove so successful that it can be established as a
center of excellence in OMB's Security LOB.
A COE does not have to provide soup-to-nuts solutions for a particular
line of business; instead, it can carve out a particular specialty.
The Justice Department, for instance, last fall submitted a business
case to OMB that its Cyber Security Assessment and Management system
should become the standard tool for all agencies looking to track
FISMA compliance.
Sources said the Treasury Department and the Environmental Protection
Agency also submitted business cases related to aspects of the
Security LOB for fiscal 2007, but no decisions have been made about
granting any of the applications.
It might seem ironic for a department to aspire to host a center of
excellence in security despite its poor Federal Infor- mation Security
Management Act grades - under FISMA agencies are graded on their
security measures and compliance, and Commerce has veered from F to C-
to D+ over the past three years. But DeFrancesco said it's
appropriate, because everything starts with educating and training the
people who bear the responsibility for implementing security.
"I did participate on the task force for the information security LOB,
[and I'm] very familiar with that particular initiative," she said.
DeFrancesco said it is too early to put together the business case
application to submit to OMB. The education program first has to get
up and running, and demonstrate its value to information security
professionals.
From isn at c4i.org Wed Jun 7 01:08:29 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:08:29 -0500 (CDT)
Subject: [ISN] Ahold USA pension data lost when laptop disappears
Message-ID:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000953
By Todd Weiss
Computerworld
June 05, 2006
A laptop computer containing the names and personal information of an
undisclosed number of retirees of grocery store chain Ahold USA
disappeared last month after it was placed in checked baggage on a
commercial U.S. flight and the bag was lost by the airline.
Barry Scher, a spokesman for Ahold USA in Quincy, Mass., said the
company has notified the retirees about the incident by mail but added
that information about the number of affected former employees and the
kind of data kept on the laptop is not being made public. "We're not
giving out any numbers to protect our people," he said.
Scher said the laptop was lost by an employee of Electronic Data
Systems Corp., which provides data processing services for the Ahold
USA Pension Plan. The laptop was password-protected and contained a
file with the personal information of retired participants in the
pension plan and of some other former employees of Ahold USA
subsidiaries, including Stop & Shop Supermarket Cos., also in Quincy,
Mass., according to a company statement.
Kimberly Walton, a spokeswoman for EDS, today acknowledged that the
computer was lost amid baggage on a flight after an airline employee
asked the EDS worker to check the bag rather than carry it onto the
aircraft. "By doing so, that employee violated our company policy,"
Walton said.
The employee has been disciplined, but Walton would not comment
further on whether the person still works for EDS. After the laptop
was determined to be lost, the EDS employee did notify the airline and
local police about the incident, she said. EDS then told Ahold about
what had happened, Walton said.
Scher and Walton would not specify when or where the incident occurred
or what airline was involved. Walton said the company has received no
reports that any of the data has been used illegally.
EDS and Ahold notified the three major credit bureaus were notified of
the data loss, and personal notification letters are being sent out to
the affected retirees. A toll-free telephone line has also been set up
to allow retirees to get information on obtaining free credit reports
and free credit monitoring for one year, Walton said.
Ahold USA is a subsidiary of Amsterdam-based Royal Ahold, an
international grocery store operator. In addition to Stop & Shop,
Ahold USA operates Carlisle, Pa.-based Giant Food Stores, Buffalo,
N.Y.-based Tops Market stores and Landover, Md.-based Giant Food
stores.
From isn at c4i.org Wed Jun 7 01:08:49 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:08:49 -0500 (CDT)
Subject: [ISN] Data Theft Hit 80% Of Active Military
Message-ID:
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/06/AR2006060601332.html
By Ann Scott Tyson and Christopher Lee
Washington Post Staff Writers
June 7, 2006
Social Security numbers and other personal information for as many as
2.2 million U.S. military personnel -- including nearly 80 percent of
the active-duty force -- were among the data stolen from the home of a
Department of Veterans Affairs analyst last month, federal officials
said yesterday, raising concerns about national security as well as
identity theft.
The department announced that personal data for as many as 1.1 million
active-duty military personnel, 430,000 National Guard members and
645,000 reserve members may have been included on an electronic file
stolen May 3 from a department employee's house in Aspen Hill. The
stolen data include names, birth dates and Social Security numbers, VA
spokesman Matt Burns said.
Defense officials said the loss is unprecedented and raises concerns
about the safety of U.S. military forces. But they cautioned that law
enforcement agencies investigating the incident have not found
evidence that the stolen information has been used to commit identity
theft.
"Anytime there is a theft of personal information, it is concerning
and requires us and our members to be vigilant," Pentagon spokesman
Bryan Whitman said. He said the loss is "the largest that I am aware
of."
Army spokesman Paul Boyce said: "Obviously there are issues associated
with identity theft and force protection."
For example, security experts said, the information could be used to
find out where military personnel live. "This essentially can create a
Zip code for where each of the service members and [their] families
live, and if it fell into the wrong hands could potentially put them
at jeopardy of being targeted," said David Heyman, director of the
homeland security program at the Center for Strategic and
International Studies (CSIS).
Another worry is that the information could reach foreign governments
and their intelligence services or other hostile forces, allowing them
to target service members and their families, the experts said.
"There is a global black market in this sort of information . . . and
you suddenly have a treasure trove of information on the U.S. military
that is available," said James Lewis, director of technology and
public policy at CSIS.
One defense official, speaking on the condition of anonymity because
of the sensitivity of the matter, called the potential damage
"monumental."
The new revelations significantly increase the potential harm from
what was already one of the largest data breaches in U.S. history. On
May 22, VA disclosed that an external computer hard drive was stolen
May 3 from the home of a VA employee and that it contained unencrypted
names and birth dates for as many as 26.5 million veterans who were
discharged after 1975 or submitted benefit claims. It also included
Social Security numbers for 19.6 million of those veterans, VA
officials said.
Initially VA thought that all of the 26.5 million people affected were
veterans, but a database comparison revealed that they also included
the bulk of active-duty military services, as well as more than 1
million members of the National Guard and reserves.
Montgomery County police released a description yesterday of the
stolen laptop and its external hard drive because they said it may
have been purchased by someone who does not realize the value of its
content. "It could have shown up at a yard sale or a secondhand
store," police spokeswoman Lucille Baur said. "This is a time of the
year when parents may be buying computers for kids going to college in
the fall."
Montgomery County police are offering a $50,000 reward for information
that allows authorities to recover the laptop. The computer is a
Hewlett-Packard model zv5360us and the external hard drive is an HP
External Personal Media Drive.
The Washington Post is not publishing the name of the career data
analyst whose laptop was stolen in response to a request from law
enforcement authorities who are investigating its disappearance.
The breach outraged veterans -- even more so because senior VA
officials knew about the theft within hours of the crime but did not
tell VA Secretary Jim Nicholson until 13 days later. The 60-year-old
analyst, who had been taking home sensitive data for at least three
years without authorization, has been fired, officials have said. His
boss resigned last week and another senior VA official is on
administrative leave pending investigations by the FBI, the VA
inspector general and Montgomery County police.
A coalition of veterans groups filed a class-action lawsuit against
the federal government yesterday, contending that privacy rights were
violated and seeking $1,000 in damages for each affected veteran.
The lawsuit, filed in U.S. District Court in the District of Columbia,
demands that VA fully disclose who was affected by the theft, and asks
a court to prohibit VA workers from using sensitive data until
safeguards are in place. Burns said the department does not comment on
pending litigation. He said VA has received no reports of stolen data
being used for identity theft or other criminal activity.
VA receives records for every new recruit because active-duty
personnel, National Guard members and reservists are eligible for
certain VA benefits, such as GI Bill educational assistance and the
home-loan program.
"The department will continue to make every effort to inform and help
protect those potentially affected, and is working with the Department
of Defense to notify all affected personnel," Nicholson said.
Rep. Lane Evans (D-Ill.), ranking member of the House Veterans'
Affairs Committee, said yesterday that he was "appalled" at the data
breach and called for a Government Accountability Office investigation
into VA information security practices.
Research shows that it is not unusual for government employees to take
home sensitive data on laptops, Lewis said. "The rules we have are
either chaotic or nonexistent. . . . We still have a paper rules
government when we are a digital nation."
Staff writer Ernesto Londo?o contributed to this report.
? 2006 The Washington Post Company
From isn at c4i.org Wed Jun 7 01:09:17 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:09:17 -0500 (CDT)
Subject: [ISN] DHS doesn't take cyberattack threats seriously, former IG says
Message-ID:
Forwarded from: William Knowles
http://www.fcw.com/article94792-06-06-06-Web
By Christopher J. Dorobek
June 6, 2006
HILTON HEAD, S.C. -- The United States and the Homeland Security
Department are "manifestly and woefully unprepared" for a cyberattack,
the former DHS inspector general said.
Al Qaeda is training people and focusing on launching cyberattacks,
but DHS has "failed to make this a priority," said Clark Ervin, the
director of the Aspen Institute's Homeland Security Initiative and
former DHS IG, speaking at the American Council for Technology's
Management of Change conference here.
DHS is on its fifth cybersecurity leader. That is an indication of the
department's lack of focus on this issue, he said, and it is an
illustration of how unprepared the agency is to serve as a model for
how cybersecurity should be handled.
Ervin, who has written a book, "Open Target: Where America Is
Vulnerable to Attack [1]," said terrorists are keenly aware of where
the country's weaknesses are and will work to take advantage of those
weaknesses.
He referred to one IG report that stated DHS wireless networks were
largely unsecured. If the agency isn't addressing issues as seemingly
simple as securing wireless, what else is not getting done? he asked.
Ervin offered a somewhat damning view of the efforts to secure the
country. He said the United States is safer today than it was before
the 2001 terrorist attacks, but the real question that needs to be
asked is whether the country is as secure as it should be and as it
needs to be.
[1] http://www.amazon.com/exec/obidos/ASIN/1403972885/c4iorg
*==============================================================*
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*
From isn at c4i.org Wed Jun 7 01:09:40 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:09:40 -0500 (CDT)
Subject: [ISN] Warning on air traffic hacking
Message-ID:
http://www.theaustralian.news.com.au/story/0,20867,19378061-23349,00.html
Steve Creedy
Aviation writer
June 06, 2006
HACKERS armed with little more than a laptop computer could conjure up
phantom planes on the screens of Australia's air traffic controllers
using new radar technology, Dick Smith haswarned.
The prominent businessman and aviator claims to have found another
security flaw in the new software being introduced in the air traffic
control system.
He has challenged Transport Minister Warren Truss to allow him to set
up a demonstration of the problem at a test of the technology in
Queensland to show how hackers could exploit the automatic dependent
surveillance broadcasting (ASD-B) system to create false readings on
an air traffic controller's screen.
The air space activist says he had been told of the flaw by staff at
the US Federal Aviation Administration.
"FAA officials have become aware that an electronics boffin, using a
second-hand or 'borrowed' transponder from a small (general aviation)
aircraft connected to a $5 data lead, a $5 aerial and a laptop
computer, can create 10, 20 or even 50 false aircraft on an air
traffic controller's screen," Mr Smith says in a letter to Mr Truss.
"This will create total chaos in the air traffic control system."
Australia is at the forefront of ASD-B, which uses the global
positioning system and aircraft avionics to automatically broadcast
information about a plane's position, speed and direction.
Authorities are poised to introduce the system for high-level
airspace, but are yet to make a decision on whether to use it at lower
altitudes.
The US is also rolling out ASD-B. The technology has been
enthusiastically endorsed by senior executives of the aviation
administration and the airline industry.
But Mr Smith, who is campaigning against the scheme and has raised
safety and security concerns about the design, said the system had no
way of verifying whether a plane was where it claimed to be or if it
existed at all.
He said the FAA was looking at ways of encrypting signals or setting
up multiple ground stations at each location to allow the traffic
controllers to determine whether a signal came from a moving aircraft.
This would significantly increase the cost of ADS-B.
"As we all know, criminals create viruses for computer networks which
have cost the world hundreds of millions of dollars," Mr Smith said.
"Exactly the same people are likely to create spoofing for the air
traffic control system."
A spokeswoman for Mr Truss said yesterday the minister had received a
lot of correspondence from Mr Smith on ADS-B.
"This recent letter is being considered and we will be writing back
formally to him," she said. "Mr Smith did meet the minister in the
past few weeks and we would point out that no decision about ADS-B has
been made, nor is a decision imminent."
From isn at c4i.org Wed Jun 7 01:07:11 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 7 Jun 2006 00:07:11 -0500 (CDT)
Subject: [ISN] Linux Security Week - June 5th 2006
Message-ID:
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| June 5th, 2006 Volume 7, Number 23n |
| |
| Editorial Team: Dave Wreski dave at linuxsecurity.com |
| Benjamin D. Thomas ben at linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, perhaps the most interesting articles include "Post-
Encryption Security," "Setup a transparent proxy with Squid in three
easy steps," and "Small Security Risk Still Big Selling Point for
Linux."
---
Security on your mind?
Protect your home and business networks with the free, community
version of EnGarde Secure Linux. Don't rely only on a firewall to
protect your network, because firewalls can be bypassed. EnGarde
Secure Linux is a security-focused Linux distribution made to protect
your users and their data.
The security experts at Guardian Digital fortify every download of
EnGarde Secure Linux with eight essential types of open source
packages. Then we configure those packages to provide maximum
security for tasks such as serving dynamic websites, high
availability mail, transport, network intrusion detection,
and more. The result for you is high security, easy
administration, and automatic updates.
The Community edition of EnGarde Secure Linux is completely
free and open source. Updates are also freely available when
you register with the Guardian Digital Secure Network.
http://www.engardelinux.org/modules/index/register.cgi
---
EnGarde Secure Linux v3.0.6 Now Available
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.6 (Version 3.0, Release 6). This release includes
several bug fixes and feature enhancements to the Guardian Digital
WebTool and the SELinux policy, several updated packages, and a couple
of new packages available for installation.
http://www.linuxsecurity.com/content/view/122648/65/
---
pgp Key Signing Observations: Overlooked Social and
Technical Considerations
By: Atom Smasher
While there are several sources of technical information on using
pgp in general, and key signing in particular, this article
emphasizes social aspects of key signing that are too often ignored,
misleading or incorrect in the technical literature. There are also
technical issues pointed out where I believe other documentation
to be lacking.
http://www.linuxsecurity.com/content/view/121645/49/
---
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------+
| Security News: | <
========================================================================
The Secunia Weekly Advisory Summary
2006-06-01 - 2006-06-08
This week: 79 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single
vulnerability report is being validated and verified before a Secunia
advisory is written.
Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.
As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.
Secunia Online Vulnerability Database:
http://secunia.com/
========================================================================
2) This Week in Brief:
Multiple browsers are affected by a vulnerability rated "Less
Critical", which can be exploited by malicious people to trick users
into disclosing sensitive information.
Additional details for the different affected browsers can be found in
the referenced Secunia advisories below.
References:
http://secunia.com/SA20442
http://secunia.com/SA20467
http://secunia.com/SA20449
http://secunia.com/SA20472
http://secunia.com/SA20470
--
Updates have been released for several Mozilla based products,
including Firefox and Thunderbird, which corrects several
vulnerabilities.
Further details can be found in the referenced Secunia advisories
below.
References:
http://secunia.com/SA20376
http://secunia.com/SA20382
http://secunia.com/SA20394
--
VIRUS ALERTS:
During the past week Secunia collected 44 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA20384] Microsoft Windows "mhtml:" URI Buffer Overflow
Vulnerability
2. [SA20376] Firefox Multiple Vulnerabilities
3. [SA20153] Microsoft Word Malformed Object Code Execution
Vulnerability
4. [SA20442] Firefox File Upload Form Keystroke Event Cancel
Vulnerability
5. [SA19762] Internet Explorer "object" Tag Memory Corruption
Vulnerability
6. [SA20449] Internet Explorer File Upload Form Keystroke Event
Cancel Vulnerability
7. [SA20382] Thunderbird Multiple Vulnerabilities
8. [SA20365] MySQL Multibyte Encoding SQL Injection Vulnerability
9. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of
Sensitive Information
10. [SA19521] Internet Explorer Window Loading Race Condition Address
Bar Spoofing
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA20462] LocazoList Classifieds "msgid" Parameter SQL Injection
[SA20423] myNewsletter "UserName" SQL Injection Vulnerability
[SA20419] aspWebLinks SQL Injection and Password Change
Vulnerabilities
[SA20416] ASPScriptz Guest Book "submit.asp" Script Insertion
Vulnerabilities
[SA20411] CodeAvalanche FreeForum Multiple Vulnerabilities
[SA20483] WinGate WWW Proxy Server Buffer Overflow Vulnerability
[SA20477] Microsoft NetMeeting Denial of Service Vulnerability
[SA20449] Internet Explorer File Upload Form Keystroke Event Cancel
Vulnerability
[SA20425] ASP Discussion Forum "search" Parameter Cross-Site Scripting
UNIX/Linux:
[SA20487] Wikiwig "WK[wkPath]" File Inclusion Vulnerability
[SA20473] HP Tru64 UNIX and HP Internet Express Sendmail Vulnerability
[SA20415] iShopCart Buffer Overflow and Directory Traversal
Vulnerabilities
[SA20466] LoudHush iaxclient Unspecified Vulnerability
[SA20457] SUSE Updates for Multiple Packages
[SA20451] Debian update for postgresql
[SA20446] Debian update for centericq
[SA20435] Trustix update for postgresql
[SA20422] Red Hat update for dia
[SA20482] Red Hat update for spamassassin
[SA20443] Debian update for spamassassin
[SA20430] SpamAssassin "spamd" Shell Command Injection Vulnerability
[SA20498] GANTTy Cross-Site Scripting and Information Disclosure
[SA20476] Sylpheed-Claws URI Check Bypass Security Issue
[SA20497] Asterisk IAX2 Channel Driver Denial of Service Vulnerability
[SA20461] Debian update for freeradius
[SA20424] Slackware update for mysql
[SA20421] Red Hat update for quagga
[SA20420] Red Hat update for zebra
[SA20456] Avaya Products XScreenSaver Insecure Temporary File Creation
Vulnerability
[SA20445] Sun StorADE Privilege Escalation Vulnerability
[SA20459] Avaya PDS HP-UX Kernel Denial of Service Vulnerability
Other:
[SA20479] Ingate Firewall and SIParator Two Vulnerabilities
[SA20474] D-Link DWL-2100AP Exposure of Configuration Files
Cross Platform:
[SA20480] Clan Manager Pro cmpro_header.inc.php File Inclusion
[SA20475] MiraksGalerie Multiple File Inclusion Vulnerabilities
[SA20468] DreamAccount "da_path" File Inclusion Vulnerabilities
[SA20463] dotWidget CMS "file_path" Parameter File Inclusion
Vulnerability
[SA20448] Informium "CONF[local_path]" File Inclusion Vulnerability
[SA20440] CS-Cart "classes_dir" Parameter File Inclusion Vulnerability
[SA20439] WebspotBlogging Multiple File Inclusion Vulnerabilities
[SA20437] DotClear "blog_dc_path" File Inclusion Vulnerability
[SA20434] Claroline Two File Inclusion Vulnerabilities
[SA20429] DokuWiki Spell Checker Code Execution Vulnerability
[SA20426] AssoCIateD "root_path" File Inclusion Vulnerabilities
[SA20408] REDAXO "REX[INCLUDE_PATH]" File Inclusion Vulnerabilities
[SA20486] Open Business Management Multiple Vulnerabilities
[SA20471] Kmita FAQ Cross-Site Scripting and SQL Injection
Vulnerabilities
[SA20469] Alex News-Engine "newsid" Parameter SQL Injection
Vulnerability
[SA20465] Coppermine Photo Gallery usermgr.php Unspecified
Vulnerability
[SA20460] LifeType "articleId" SQL Injection Vulnerability
[SA20458] MediaWiki Edit Form Script Insertion Vulnerability
[SA20450] Dmx Forum Disclosure of Sensitive Information
[SA20447] Weblog Oggi Script Insertion Vulnerability
[SA20438] BlueShoes Framework Multiple File Inclusion Vulnerabilities
[SA20433] FunkBoard Authentication Bypass and Cross-Site Scripting
[SA20428] Particle Wiki Script Insertion and SQL Injection
[SA20427] Particle Gallery "imageid" SQL Injection Vulnerability
[SA20414] TAL RateMyPic Multiple Vulnerabilities
[SA20413] Snort "http_inspect" Preprocessor Bypass Vulnerability
[SA20410] Unak-CMS SQL Injection and Cross-Site Scripting
Vulnerabilities
[SA20409] SimpleBoard "sb_authorname" Script Insertion Vulnerability
[SA20452] TIBCO Rendezvous HTTP Administrative Interface Buffer
Overflow
[SA20500] GD Graphics Library GIF File Handling Denial of Service
[SA20491] Particle Links "username" Parameter Cross-Site Scripting
[SA20490] Particle Whois "target" Parameter Cross-Site Scripting
[SA20478] DokuWiki Restricted Page Content Disclosure Vulnerability
[SA20472] Mozilla SeaMonkey File Upload Form Keystroke Event Cancel
Vulnerability
[SA20470] Netscape File Upload Form Keystroke Event Cancel
Vulnerability
[SA20467] Mozilla Suite File Upload Form Keystroke Event Cancel
Vulnerability
[SA20455] KnowledgeTree Open Source Cross-Site Scripting
Vulnerabilities
[SA20453] PHP ManualMaker Multiple Cross-Site Scripting
Vulnerabilities
[SA20444] PHP Pro Publish "catname" Parameter Cross-Site Scripting
[SA20442] Firefox File Upload Form Keystroke Event Cancel
Vulnerability
[SA20441] OSADS Board Comments Script Insertion Vulnerability
[SA20436] PyBlosxom Contributed Packages Cross-Site Scripting
Vulnerability
[SA20418] dotProject Cross-Site Scripting Vulnerability
[SA20417] LabWiki Cross-Site Scripting Vulnerabilities
[SA20412] Drupal Taxonomy Module Cross-Site Scripting Vulnerability
[SA20431] TIBCO Hawk "tibhawkhma" Privilege Escalation Vulnerability
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA20462] LocazoList Classifieds "msgid" Parameter SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-05
ajann has discovered a vulnerability in LocazoList Classifieds, which
can be exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20462/
--
[SA20423] myNewsletter "UserName" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-06
FarhadKey has discovered a vulnerability in myNewsletter, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20423/
--
[SA20419] aspWebLinks SQL Injection and Password Change
Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, Security Bypass
Released: 2006-06-02
ajann has discovered two vulnerabilities in aspWebLinks, which can be
exploited by malicious people to conduct SQL injection attacks and to
bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20419/
--
[SA20416] ASPScriptz Guest Book "submit.asp" Script Insertion
Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-06
omnipresent has discovered some vulnerabilities in ASPScriptz Guest
Book, which can be exploited by malicious people to conduct script
insertion attacks.
Full Advisory:
http://secunia.com/advisories/20416/
--
[SA20411] CodeAvalanche FreeForum Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-02
Some vulnerabilities have been discovered in CodeAvalanche FreeForum,
which can be exploited by malicious people to conduct script insertion
attacks and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20411/
--
[SA20483] WinGate WWW Proxy Server Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2006-06-07
kcope has discovered a vulnerability in WinGate, which can be exploited
by malicious people to cause a DoS (Denial of Service) and potentially
to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20483/
--
[SA20477] Microsoft NetMeeting Denial of Service Vulnerability
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2006-06-07
HexView has reported a vulnerability in Microsoft NetMeeting, which can
be exploited by malicious users to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20477/
--
[SA20449] Internet Explorer File Upload Form Keystroke Event Cancel
Vulnerability
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-06-06
A vulnerability has been reported in Internet Explorer, which can be
exploited by malicious people to trick users into disclosing sensitive
information.
Full Advisory:
http://secunia.com/advisories/20449/
--
[SA20425] ASP Discussion Forum "search" Parameter Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-02
omnipresent has discovered a vulnerability in ASP Discussion Forum,
which can be exploited by malicious people to conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/20425/
UNIX/Linux:--
[SA20487] Wikiwig "WK[wkPath]" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-07
Kacper has discovered a vulnerability in Wikiwig, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20487/
--
[SA20473] HP Tru64 UNIX and HP Internet Express Sendmail Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-07
HP has acknowledged a vulnerability in HP Tru64 UNIX and HP Internet
Express running sendmail, which can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20473/
--
[SA20415] iShopCart Buffer Overflow and Directory Traversal
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information, System access
Released: 2006-06-02
K-sPecial has reported some vulnerabilities in iShopCart, which can be
exploited by malicious people to disclose potentially sensitive
information and compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20415/
--
[SA20466] LoudHush iaxclient Unspecified Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Unknown
Released: 2006-06-06
A vulnerability with an unknown impact has been reported in LoudHush.
Full Advisory:
http://secunia.com/advisories/20466/
--
[SA20457] SUSE Updates for Multiple Packages
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information, DoS, System access
Released: 2006-06-05
SUSE has issued updates for multiple packages. These fix
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service), to disclose potentially sensitive information,
and to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20457/
--
[SA20451] Debian update for postgresql
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Manipulation of data
Released: 2006-06-05
Debian has issued an update for postgresql. This fixes two
vulnerabilities, which potentially can be exploited by malicious people
to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20451/
--
[SA20446] Debian update for centericq
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-05
Debian has issued an update for centericq. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20446/
--
[SA20435] Trustix update for postgresql
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Manipulation of data
Released: 2006-06-05
Trustix has issued an update for postgresql. This fixes two
vulnerabilities, which potentially can be exploited by malicious people
to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20435/
--
[SA20422] Red Hat update for dia
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-06-02
Red Hat has issued an update for dia. This fixes some vulnerabilities,
which potentially can be exploited by malicious people to compromise a
user's system.
Full Advisory:
http://secunia.com/advisories/20422/
--
[SA20482] Red Hat update for spamassassin
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2006-06-07
Red Hat has issued an update for spamassassin. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20482/
--
[SA20443] Debian update for spamassassin
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2006-06-06
Debian has issued an update for spamassassin, which can be exploited by
malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20443/
--
[SA20430] SpamAssassin "spamd" Shell Command Injection Vulnerability
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2006-06-06
A vulnerability has been reported in SpamAssassin, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20430/
--
[SA20498] GANTTy Cross-Site Scripting and Information Disclosure
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting, Exposure of system information
Released: 2006-06-07
luny has reported two vulnerabilities in GANTTy, which can be exploited
by malicious people to disclose system information and conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20498/
--
[SA20476] Sylpheed-Claws URI Check Bypass Security Issue
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2006-06-07
A security issue has been reported in Sylpheed-Claws, which potentially
can be exploited by malicious people to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/20476/
--
[SA20497] Asterisk IAX2 Channel Driver Denial of Service Vulnerability
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2006-06-07
A vulnerability has been reported in Asterisk, which can be exploited
by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20497/
--
[SA20461] Debian update for freeradius
Critical: Less critical
Where: From local network
Impact: Security Bypass, DoS
Released: 2006-06-05
Debian has issued an update for freeradius. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) or bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20461/
--
[SA20424] Slackware update for mysql
Critical: Less critical
Where: From local network
Impact: Exposure of sensitive information
Released: 2006-06-05
Slackware has issued an update for mysql. This fixes two
vulnerabilities, which can be exploited by malicious users to disclose
potentially sensitive information.
Full Advisory:
http://secunia.com/advisories/20424/
--
[SA20421] Red Hat update for quagga
Critical: Less critical
Where: From local network
Impact: Security Bypass, Exposure of system information, DoS
Released: 2006-06-02
Red Hat has issued an update for quagga. This fixes two security issues
and a vulnerability, which can be exploited by malicious, local users to
cause a DoS (Denial of Service) and by malicious people to bypass
certain security restrictions, and to disclose system information.
Full Advisory:
http://secunia.com/advisories/20421/
--
[SA20420] Red Hat update for zebra
Critical: Less critical
Where: From local network
Impact: Security Bypass, Exposure of system information, DoS
Released: 2006-06-02
Red Hat has issued an update for zebra. This fixes two security issues
and a vulnerability, which can be exploited by malicious, local users
to cause a DoS (Denial of Service) and by malicious people to bypass
certain security restrictions, and to disclose system information.
Full Advisory:
http://secunia.com/advisories/20420/
--
[SA20456] Avaya Products XScreenSaver Insecure Temporary File Creation
Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-06-06
Avaya has acknowledged a vulnerability in various Avaya products, which
can be exploited by malicious, local users to perform certain actions
with escalated privileges.
Full Advisory:
http://secunia.com/advisories/20456/
--
[SA20445] Sun StorADE Privilege Escalation Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-06-05
A vulnerability has been reported in Storage Automated Diagnostic
Environment (StorADE), which can be exploited by malicious, local users
to gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/20445/
--
[SA20459] Avaya PDS HP-UX Kernel Denial of Service Vulnerability
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2006-06-06
Avaya has acknowledged a vulnerability in Avaya Predictive Dialing
System (PDS), which can be exploited by malicious, local users to cause
a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20459/
Other:--
[SA20479] Ingate Firewall and SIParator Two Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, DoS
Released: 2006-06-07
Two vulnerabilities have been reported in Ingate Firewall and
SIParator, which can be exploited by malicious people to conduct
cross-site scripting attacks and to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20479/
--
[SA20474] D-Link DWL-2100AP Exposure of Configuration Files
Critical: Less critical
Where: From local network
Impact: Exposure of sensitive information
Released: 2006-06-07
A security issue has been reported in D-Link DWL-2100AP, which can be
exploited by malicious people to disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/20474/
Cross Platform:--
[SA20480] Clan Manager Pro cmpro_header.inc.php File Inclusion
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-07
Sx02 has discovered two vulnerabilities in Clan Manager Pro, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20480/
--
[SA20475] MiraksGalerie Multiple File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-07
Federico Fazzi has discovered some vulnerabilities in MiraksGalerie,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/20475/
--
[SA20468] DreamAccount "da_path" File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-06
David "Aesthetico" Vieira-Kurz has reported some vulnerabilities in
DreamAccount, which can be exploited by malicious people to compromise
a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20468/
--
[SA20463] dotWidget CMS "file_path" Parameter File Inclusion
Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-05
David 'Aesthetico' Vieira-Kurz has reported a vulnerability in
dotWidget CMS, which can be exploited by malicious people to compromise
a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20463/
--
[SA20448] Informium "CONF[local_path]" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-05
Kacper has reported a vulnerability in Informium, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20448/
--
[SA20440] CS-Cart "classes_dir" Parameter File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-05
Kacper has reported a vulnerability in CS-Cart, which can be exploited
by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20440/
--
[SA20439] WebspotBlogging Multiple File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-05
Kacper has reported some vulnerabilities in WebspotBlogging, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20439/
--
[SA20437] DotClear "blog_dc_path" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-05
rgod has reported a vulnerability in DotClear, which can be exploited
by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20437/
--
[SA20434] Claroline Two File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-05
rgod has reported two vulnerabilities in Claroline, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20434/
--
[SA20429] DokuWiki Spell Checker Code Execution Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-05
Stefan Esser has reported a vulnerability in DokuWiki, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20429/
--
[SA20426] AssoCIateD "root_path" File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-02
Kacper has discovered some vulnerabilities in AssoCIateD, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20426/
--
[SA20408] REDAXO "REX[INCLUDE_PATH]" File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-02
beford has discovered some vulnerabilities in REDAXO, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20408/
--
[SA20486] Open Business Management Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-07
r0t has reported some vulnerabilities in Open Business Management,
which can be exploited by malicious users to conduct SQL injection
attacks and by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20486/
--
[SA20471] Kmita FAQ Cross-Site Scripting and SQL Injection
Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-06
luny has reported two vulnerabilities in Kmita FAQ, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/20471/
--
[SA20469] Alex News-Engine "newsid" Parameter SQL Injection
Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-06
ajann has discovered a vulnerability in Alex News-Engine, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20469/
--
[SA20465] Coppermine Photo Gallery usermgr.php Unspecified
Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Unknown
Released: 2006-06-07
A vulnerability with an unknown impact has been reported in Coppermine
Photo Gallery.
Full Advisory:
http://secunia.com/advisories/20465/
--
[SA20460] LifeType "articleId" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-05
rgod has discovered a vulnerability in LifeType, which can be exploited
by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20460/
--
[SA20458] MediaWiki Edit Form Script Insertion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-06
A vulnerability has been reported in MediaWiki, which can be exploited
by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20458/
--
[SA20450] Dmx Forum Disclosure of Sensitive Information
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-06-06
DarkFig has discovered two security issues in Dmx Forum, which can be
exploited by malicious people to disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/20450/
--
[SA20447] Weblog Oggi Script Insertion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-05
luny has discovered a vulnerability in Weblog Oggi, which can be
exploited by malicious users to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20447/
--
[SA20438] BlueShoes Framework Multiple File Inclusion Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-06-05
Kacper has reported some vulnerabilities in BlueShoes Framework, which
can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/20438/
--
[SA20433] FunkBoard Authentication Bypass and Cross-Site Scripting
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting
Released: 2006-06-06
Some vulnerabilities have been reported in FunkBoard, which can be
exploited by malicious people to bypass certain security restrictions
and to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20433/
--
[SA20428] Particle Wiki Script Insertion and SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-05
Some vulnerabilities have been discovered in Particle Wiki, which can
be exploited by malicious people to conduct script insertion attacks
and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20428/
--
[SA20427] Particle Gallery "imageid" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-05
r0t has discovered a vulnerability in Particle Gallery, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20427/
--
[SA20414] TAL RateMyPic Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-02
Some vulnerabilities have been discovered in TAL RateMyPic, which can
be exploited by malicious people to conduct script insertion attacks,
cross-site scripting attacks, and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20414/
--
[SA20413] Snort "http_inspect" Preprocessor Bypass Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2006-06-02
Blake Hartstein has reported a vulnerability in Snort, which can be
exploited by malicious people to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20413/
--
[SA20410] Unak-CMS SQL Injection and Cross-Site Scripting
Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-02
Some vulnerabilities have been reported in Unak-CMS, which can be
exploited by malicious people to conduct cross-site scripting attacks
and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20410/
--
[SA20409] SimpleBoard "sb_authorname" Script Insertion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-02
Yannick von Arx has discovered a vulnerability in SimpleBoard, which
can be exploited by malicious people to conduct script insertion
attacks.
Full Advisory:
http://secunia.com/advisories/20409/
--
[SA20452] TIBCO Rendezvous HTTP Administrative Interface Buffer
Overflow
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2006-06-06
A vulnerability has been reported in TIBCO Rendezvous, which can be
exploited by malicious people to cause DoS (Denial of Service) and
potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20452/
--
[SA20500] GD Graphics Library GIF File Handling Denial of Service
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2006-06-07
Xavier Roche has discovered a vulnerability in the GD Graphics Library,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service) against applications and services using libgd.
Full Advisory:
http://secunia.com/advisories/20500/
--
[SA20491] Particle Links "username" Parameter Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-07
luny has discovered a vulnerability in Particle Links, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20491/
--
[SA20490] Particle Whois "target" Parameter Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-07
luny has discovered a vulnerability in Particle Whois, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20490/
--
[SA20478] DokuWiki Restricted Page Content Disclosure Vulnerability
Critical: Less critical
Where: From remote
Impact: Security Bypass, Exposure of sensitive information
Released: 2006-06-07
A vulnerability has been reported in DokuWiki, which can be exploited
by malicious users to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20478/
--
[SA20472] Mozilla SeaMonkey File Upload Form Keystroke Event Cancel
Vulnerability
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-06-06
A vulnerability has been reported in Mozilla SeaMonkey, which can be
exploited by malicious people to trick users into disclosing sensitive
information.
Full Advisory:
http://secunia.com/advisories/20472/
--
[SA20470] Netscape File Upload Form Keystroke Event Cancel
Vulnerability
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-06-06
A vulnerability has been reported in Netscape, which can be exploited
by malicious people to trick users into disclosing sensitive
information.
Full Advisory:
http://secunia.com/advisories/20470/
--
[SA20467] Mozilla Suite File Upload Form Keystroke Event Cancel
Vulnerability
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-06-06
A vulnerability has been reported in Mozilla Suite, which can be
exploited by malicious people to trick users into disclosing sensitive
information.
Full Advisory:
http://secunia.com/advisories/20467/
--
[SA20455] KnowledgeTree Open Source Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-06
r0t has reported two vulnerabilities in KnowledgeTree Open Source,
which can be exploited by malicious people to conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/20455/
--
[SA20453] PHP ManualMaker Multiple Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-05
luny has reported some vulnerabilities in PHP ManualMaker, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20453/
--
[SA20444] PHP Pro Publish "catname" Parameter Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-05
Soot has reported a vulnerability in PHP Pro Publish, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20444/
--
[SA20442] Firefox File Upload Form Keystroke Event Cancel
Vulnerability
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-06-06
Charles McAuley has reported a vulnerability in Firefox, which can be
exploited by malicious people to trick users into disclosing sensitive
information.
Full Advisory:
http://secunia.com/advisories/20442/
--
[SA20441] OSADS Board Comments Script Insertion Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-05
A vulnerability has been discovered in OSADS, which can be exploited by
malicious users to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20441/
--
[SA20436] PyBlosxom Contributed Packages Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-06
A vulnerability has been reported in Contributed Packages for PyBlosxom
1.3, which can be exploited by malicious people to conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/20436/
--
[SA20418] dotProject Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-05
A vulnerability has been reported in dotProject, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20418/
--
[SA20417] LabWiki Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-05
Two vulnerabilities have been discovered in LabWiki, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20417/
--
[SA20412] Drupal Taxonomy Module Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-02
A vulnerability has been reported in Drupal, which can be exploited by
malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20412/
--
[SA20431] TIBCO Hawk "tibhawkhma" Privilege Escalation Vulnerability
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-06-06
A vulnerability has been reported in TIBCO Hawk, which can be exploited
by malicious, local users to gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/20431/
========================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Subscribe:
http://secunia.com/secunia_weekly_summary/
Contact details:
Web : http://secunia.com/
E-mail : support at secunia.com
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45
From isn at c4i.org Thu Jun 8 05:03:21 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 8 Jun 2006 04:03:21 -0500 (CDT)
Subject: [ISN] Hacker Said to Resell Internet Phone Service
Message-ID:
http://www.nytimes.com/2006/06/07/technology/07cnd-voice.html
By KEN BELSON and TOM ZELLER Jr.
June 7, 2006
Federal authorities arrested one man in Miami and another in Spokane,
Wash., today in connection with what they said was a hacking scheme
involving the resale of Internet telephone service.
The suspects were said to have illegally tapped into the lines of
legitimate Internet phone companies, saddling them with the expense of
extra traffic, while collecting more than $1 million in connection
fees.
The case, one of the first involving this kind of elaborate Internet
phone hacking, illustrated how Internet-based communications may be
criminally exploited, and raised fresh questions about the security of
phone traffic over largely unregulated networks.
Prosecutors say that starting in November 2004, the man arrested in
Miami - Edwin Andres Pena, 23, a Venezuelan who has permanent
residency in the United States - used two companies he created to
offer wholesale phone connections at discounted rates to small
Internet phone companies.
Instead of buying access to other networks to connect his clients'
calls, Mr. Pena paid about $20,000 to Robert Moore, the man arrested
in Spokane, to create "what amounted to 'free' routes by
surreptitiously hacking into the computer networks" of unwitting
Internet phone providers, and then routing his customers' calls over
those providers' systems, according to the federal complaint.
To evade detection, Mr. Pena is said to have hacked into computers run
by an unsuspecting investment company in Rye Brook, N.Y.,
commandeering its unprotected servers to re-route phone traffic
through them. These steps made it appear as if this company was
sending calls to more than 15 Internet phone companies.
In one three-week period, for instance, prosecutors say that one of
the victimized Internet phone providers, based in Newark, received
about 500,000 calls that were made to look as if they came from the
company in Rye Brook.
In all, more than 15 Internet phone companies, including the one in
Newark, were left having to pay as much as $300,000 each in connection
fees for routing the phone traffic to other carriers, without
receiving any revenue for the calls, prosecutors said.
"Emerging technologies and the Internet represent a sea of opportunity
for business, but also for sophisticated criminals," Christopher J.
Christie, the United States Attorney for New Jersey, said in a
statement. "The challenge, which we and the F.B.I. continue to meet
with investigations and prosecutions like this one, is to stay ahead
of the cyber-criminal and protect legitimate commerce."
The companies in Newark and Rye Brook, and others said to have been
victimized, were not identified by name in the complaint, which was
filed with the United States District Court in Newark.
Mr. Pena, however, appears to have used the money he received from his
customers to go on a spending spree, buying real estate in south
Florida, a 40-foot Sea Ray Mercruiser motor boat, and luxury cars
including a BMW and a Cadillac Escalade.
Mr. Pena appeared to be smitten with his possessions, frequently
posting pictures of his cars on Web sites devoted to car enthusiasts.
So far, most of the concern about the safety of Internet-based
communications has focused on the ability of criminals to eavesdrop on
calls, to fake caller ID's and to steal long-distance phone service.
In this case, Mr. Pena is said to have mimicked legitimate
telecommunications brokers, who typically help connect long distance
calls by buying minutes from large carriers and reselling them for a
profit to smaller phone companies.
From isn at c4i.org Thu Jun 8 05:03:38 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 8 Jun 2006 04:03:38 -0500 (CDT)
Subject: [ISN] Spies on the Hill: Former Capitol Police Chief Gainer Dishes
About Secret Intel Unit
Message-ID:
http://public.cq.com/public/20060602_homeland.html
By Jeff Stein
CQ Staff
June 2, 2006
No self-respecting federal agency goes without its own intelligence
service these days, and the U.S. Capitol Police is no exception.
The Capitol Police have a little-known intelligence unit that takes up
a whole floor of its seven-story, century-old headquarters at First
and D Streets Northeast, according to its just-retired police chief.
Terrance W. Gainer, who turned in his badge, gun and police-issued
Blackberry two months ago after four years of occasionally rough times
with protesters and headstrong lawmakers, says his unit collaborated
closely with the CIA and the FBI-led Joint Terrorism Task Force, and
had liaison officers at most of the the 16 spy agencies that make of
the U.S. intelligence community.
Gainer also says his intelligence unit - fewer than 50 in a 600-strong
corps, he indicated - often swept congressional hearing rooms and
offices for secret electronic listening devices and fielded
plainclothes officers to see who might be scouting the facilities for
a terrorist attack.
"We are a very, very full-service police department, and know for
certain that the goal we have as counterterrorism police is stopping
an attack before it starts," Gainer says.
The intelligence unit's head, Deputy Chief Mike Jarboe, could not be
reached for comment on the Capitol Police's counterintelligence and
security activities.
"I'm going to guess they're not going to be very talkative," Gainer
said in the first of two interviews over the past few weeks." As a
rule, I have a different philosophy on the press, as some might
suspect, and it got me in trouble with some of the House members.
"I think there ought to be a little open dialog," said Gainer, who was
chief of the Illinois state police before coming to Washington in
1998, "and I don't like to deny that which is obvious.
"I think in some respects you want our enemy to know that we are
capable, but you don't want them to know the specifics of our
capabilities. . . . And that's always a fine line."
"Holy Cow"
Every morning at 8:45, Gainer says he, his top officers and delegates
from the House and Senate sergeant at arms offices gathered for an
intelligence briefing in "a secure location" that he would not
identify.
That facility, as well as an area in Capitol Police headquarters, had
a so-called Secure Compartmented Intelligence Facility, or SCIF, that
prevented hostile intelligence agencies from listening in on
conversations, Gainer said.
"Our intel people would talk about threats picked up by other intel
agencies, We'd also talk about major hearings, dignitary visits to the
Hill, and so on."
At least twice a month, and sometimes weekly, the Capitol Police
intelligence unit and senior commanders got briefings from the CIA and
FBI in the Hill's SCIF.
"We had some 'holy cow' moments," Gainer said, declining to provide
details. But overall, "It would be rare, in that kind of meeting, that
I would learn something I hadn't already been briefed on."
Moles
As for finding "bugs" in Capitol facilities, Gainer would only say, "I
wouldn't comment on that, but I will tell you this, that we feel
comfortable with the meetings that are conducted in there and our
sweeps."
Gainer also revealed this little-known detail: Capitol Police carry
out what he calls "counterintelligence" activities.
"It's not putting people under cover to develop informants. We don't
do that," he said.
"We have plainclothes officers who go out and do counterintelligence
work. We're always trying to figure out what the bad guys are trying
to figure out in watching us or observing what we do."
In the spy trade, counterintelligence usually means penetrating the
opposition's spy service and looking for moles within its own.
But that's not what Capitol Police "special agents" - a designation
Gainer said he bestowed on his intelligence specialists for its
"cachet" - do, the retired chief says.
"Counterintelligence, from our perspective," Gainer explains, "is very
limited in scope. It might be something as simple as, during the State
of the Union address or the inauguration, having people out watching
the crowd.
"So we're looking at people who are watching us. If we got a phony
call on a suspicious package, the terrorists might be watching to see
how we respond - how many units, how many people, how we lay ourselves
out. So we have people in plainclothes looking at the lookers. And we
might decide to talk to someone who's doing some taping, we might tape
people who are taping us, and cross-reference that with what's going
on in other jurisdictions."
In the investigation of last summer's London subway and bus bombings,
authorities "captured tapes that showed different places in D.C. and
on the Hill," said Gainer, 58. "Maybe it was pre-operational stuff."
But the Capitol Police's intelligence unit's purview isn't necessarily
confined to Capitol Hill, he said.
Sharing
All 535 members of Congress "and their families" are under the Capitol
Police's protective wing.
"We don't go out to their home towns, but our responsibility extends
to where those men and women are, and their families. So either we or
those local police departments stay on top of what's going on."
"If there's something that is of greater scope than our area then we
work with the the FBI and the Joint Terrorism Task Forces," he says.
And the intel unit has "connections in each of the the states, with
the local FBI field office, or places like L.A., New York, Chicago -
they all have intelligence squads."
It works the other way, too, Gainer said, with threats against members
of Congress relayed quickly to Capitol Police intelligence. It wasn't
always that way. Now the department's problem is information overload.
"I think the biggest concern we have now is everybody is sharing so
much because no one wants to be accused of not sharing. We would have
a daily intel briefing telling us what was going on in the world, and
sometimes you would say, 'Why in the world are we being told this,
because it's laughable.'"
"They might lay out a lot of information and then say the person
giving this to us is unreliable, has given us bad information in the
past and is crazy. And we'd go, 'then why share it with us?'"
Today, he says, relations with the CIA, FBI and other intelligence
agencies are tight. During the CIA and FBI briefings, there's a lot of
unprecedented give and take with Capitol Police analysts, many of whom
are drawn from the military intelligence services. Those who aren't
are sent to the military intelligence schools and the FBI for
training, Gainer said.
"At the end of those briefs, the FBI and CIA would give more details
and answer your questions. In other words, they would let those
'intellectual' discussions go on. They might say, 'This is our read of
this bit of intelligence, give us yours,' " Gainer says.
"Sometimes our analytical people would write reports that ran counter
to [theirs], which was the accumulated intel from 18 agencies. Our
guys would write theirs from our perspective and say, 'Why couldn't it
mean this?'"
Despite the new collaboration between the Capitol Police and federal
spy agencies, along with bag checks, floating security units, New
Jersey barriers and anthrax mail sniffers, a determined terrorist can
probably get through, Gainer volunteered.
"Because it's an open campus, someone can ride a bus up there - but
not a truck - a bike with saddlebags on us. That presents a challenge.
But our concern was the smaller events. Working with our federal
intelligence agency partners, we think we have a pretty good handle on
the potential for our adversaries to do big stuff."
Big stuff?
"A 9/11, a nuclear attack, a dirty bomb - all those are possible," he
says.
But the Capitol is much better protected than when he arrived, he
maintained, despite such panicky moments as the "shooting" in the
Longworth House Office Building garage last week that shook the whole
city but most likely was a construction crew dropping pipes.
"Between us and some of the other federal brethren, I feel we have a
pretty good handle on what's in the air," Gainer said, "and which way
the wind is blowing. . . ."
[...]
From isn at c4i.org Thu Jun 8 05:04:17 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 8 Jun 2006 04:04:17 -0500 (CDT)
Subject: [ISN] Fighting cyber crime in Nigeria
Message-ID:
http://www.tribune.com.ng/08062006/infosys2.html
By OLUWASEUN AYANTOKUN
Info Systems
Lagos
8th June, 2006
When efforts are being made to remove the rebellious shoot of the
proverbial tump, it obstinately sprouts another.So is cybercrime,
which has continued to grow by leaps and bounds, just as the
government frantically keeps on fighting financial crimes. hile the
war is yielding results by enhancing the image of Nigeria
abroad,cybercrime has continued to dent it. The Internet creates
unlimited opportunities for commercial, social and educational
activities. But as we can see with cybercrime, the net introduces its
own peculiar risks.
The convenience associated with IT and the Internet is now being
exploited to serve criminal purposes. Cybercrime covers internet fraud
not just online 419 - the use of computers and or the internet to
commit crime. Computer-assisted crime include e-mail scams, hacking,
distribution of hostile software (viruses and worms), denial of
service attacks, theft of data, extortion, fraud and impersonation.
Recently, a report indicated that Nigeria is losing about $80
million(N11.2 billon) yearly to software piracy.The report was the
findings of a study, conducted by Institute of Digital
Communications(IDC), a market research and forecasting firm, based in
South Africa, on behalf of Business Software Alliance of South Africa.
As it is now, cybercrime is an image nightmare for Nigeria.When you
come across phrases like "Nigerian scam", the assumption that crosses
your mind is that all (or conservatively, most) scam emails originate
from Nigeria, or Nigerians.
In 2004, the federal government established a cybercrime working
group,the Nigeria Cyber Working Group(NCWG),with the purpose of aiding
Nigeria's demystification of the hydra-headed monster.The NCWG is an
Inter-Agency body made up of all key law enforcement, security,
intelligence and ICT agencies of government, plus major private
organisations in the ICT sector.
Some of these agencies include the Economic and Financial Crimes
Commission (EFCC), Nigeria Police Force (NPF), the National Security
Adviser (NSA), the Nigerian Communications Commission (NCC),
Department of State Services (DSS), National Intelligence Agency
(NIA),Nigeria Computer Society(NCS), Nigeria Internet Group(NIG),
Internet Services Providers' Association of Nigeria (ISPAN); National
Information Technology Development Agency (NITDA), and Individual
citizens representing public interest. The working group has two
chairpersons and one coordinator.
The duties of the Working Group include: Engaging in public
enlightenment programs, building institutional consensus amongst
existing agencies, providing technical assistance to the National
Assembly on cyber crime and in the Drafting of the cyber crime act;
laying the groundwork for a cyber crime agency that will eventually
emerge to take charge of fighting cyber crime in Nigeria. In addition,
the working group was tasked with the responsibility of working with
global cyber crime enforcement agencies in the USA , the UK and other
countries, who are at fore-front of fightingcyber crime.
All this has quite created a lot of talk about fighting cybercrime
without a significant result to show for it.Early this year, an
on-line news magazine doubted Mr Nuhu Ribadu, the executive chairman
of the Economic and Financial Crimes Commission, who vowed that
Nigeria would"deal fatal blow" to cybercrime networks? According to
Mr. Ribadu, Nigeria "will monitor cybercafes and take on a
'significant' number of cases against such criminals based in Nigeria"
The news magazine,InfoSec News queried,"prosecution of cyberscams is
fine, but are there sufficient laws for this? If there are laws, why
weren't they enforced so far, and if there are no laws, why is this
not the first step?" How effectively then can the war against
cybercrime be prosecuted since there is an awareness of the menace it
poses to society? "Fighting cybercrime requires not just IT knowledge
but IT intelligence on the part of the security agencies.
For now,there is an IT security divide - a serious shortage of skills
to deal with the threats associated with IT. Shouting and moaning
about cybercrime isn't enough. All the talk is meaningless unless the
gap is closed. Security agencies need to be equipped with the skills,
the know-how and the insight necessary to fight cybercrime
effectively.While resources are needed to fight the menace, it is
imperative to avoid the misdirected approach of'throwing money' at the
problem. The approach must be based on policies and strategies. Such
policies must be based on knowledge. Knowledge not just for the
operatives, but also for those that will commit resources. For
example, do the decision makers have any REAL, PRACTICAL appreciation
of technology, not to talk of cybercrime? What is their stake on the
basics of information security in today's high-tech, business
environment? The cybercriminals seem to have the technology advantage.
"Essentially, cybercrime is information and intelligence- based
activity. You cannot fight cybercrime with ignorance, strong
directives or boastful talk?, Mr Jide Awe, an ICT expert, said in a
conference paper presented in 2004. Furthermore, legislation needs to
keep pace with e-crime, especially as it becomes more prevalent and
sophisticated. "Apart from awareness and culture, security measures
(technical and non technical) will need to be put in place and
enforced, as part of the solutions. This might involve raising
penalties and increasing the seriousness of e-offences. The right
culture should create a high level of awareness amongst stakeholders",
added the ICT expert.
Cybercrime cannot be divorced from the prevalent high level of
corruption and wide spread poverty and unemployment in the Nigerian
society.Heavier punishments and enlightenment, closing down cyber
caf?s, issuing draconian directives may therefore not be meaningful
without addressing the causes. To fight crime you attack the causes of
crime.Littlewonder then that after the initial excitement after the
set up of the NCWG and some spineless fight by the security agencies,
the noise died down.
Also in terms of strategy, it is crucial to thoroughly address issues
relating to enforcement whenever the bill before the National Assembly
to curb the crime is passed into law. "Mishandling of enforcement can
backfire. Enforcement can only work if it avoids harassment, abuse of
privacy and extortion. Care must be taken not to throw out the baby
with the bath water. Don't create a situation where genuine users of
the Internet are frustrated out and unable to benefit from the
Internet.In today's world, computing tools and the Internet are used
to effectively promote social development and business growth.
Strategies must strike a balance between security concerns and other
developmental needs",Mr Awe suggested.
In April, at Heinrich Boll Foundation (HBF) Conference Hall where some
stakeholders in the ICT industry gathered to discuss how to facilitate
information security, reduce security breaches, and steps to contain
cyber crime in Africa,Dr. Martins Ikpehai, chief executive officer,
Computer Audit andSecurity Associates Ltd, Lagos stated that"Computer
security and cyber crime awareness should be created with a view to
sensitising all users of the internet facility with the emerging
indicators of crime and fraud being committed through computer".
Other participants at the three-day conference agreed in various
papers presented that the law enforcement agencies and judiciary in
the continent have roles to play in devising ways of curbing internet
fraud and enhancing their skills in computer security and risk
management.The group was also hopeful that the Computer Security and
Cybercrime Bill it sponsored to the National Assembly, will be passed
on time and that its passage would mark the beginning of the war
against internet crime in the country.
Of course how far can the country go withiut an active legislation in
place?According to the participants,it is also very necessary for
relevant authorities to conduct survey and research with a view to
containing cyber-related crimes and computer security breaches.Mr Awe
who also paticipated at the conference charged the information
security expertise in the continent toidentify threats to computer
security, protect both internal and external threats among which human
error is a major concern which needs human approach. The situation on
the ground, therefore, shows the country still has a long way to go.
? 2004 - 2006 African Newspapers of Nigeria Plc.
From isn at c4i.org Thu Jun 8 05:04:39 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 8 Jun 2006 04:04:39 -0500 (CDT)
Subject: [ISN] Privacy Lost
Message-ID:
http://www.cbsnews.com/stories/2006/06/07/opinion/main1690428.shtml
By Tom Kellerman
CBS
June 7, 2006
In today's age of digital everything, one can reminisce about the days
of true privacy. Much of the discussion of late has centered upon the
NSA's domestic spying program. Americans from the deep red states to
the blue have felt betrayed by Uncle Sam as a result of his
anti-terror efforts. The naivet? exhibited by privacy advocates
everywhere stems from a lack of appreciation that the world is truly
flat - privacy has been traded for convenience. True privacy has
become pure nostalgia in this age of digital everything. All the
fretting about the National Security Agency's domestic spying program
is understandable, but it misses one spectacularly big point: domestic
privacy in America simply does not exist anymore. Those who use
e-commerce most are at greatest risk. The Privacy Rights Clearinghouse
reported that more 80 million Americans have had their personal
information jeopardized by data breaches since Feb. 15, 2005. A more
recent study conducted by IBM claimed that three times more Americans
thought they were more likely to be victimized by cybercrime than
physical crime.
Most Americans are unaware that government Big Brother no longer has a
monopoly on domestic spying. There are in fact thousands upon
thousands of Big Brothers in cyberspace and on the digital airwaves.
These Big Brothers are intent upon criminal gain rather than national
security. These Big Brothers exist in the underground hacker
community, among other places. Since the wide spread adoption of
e-commerce and e-finance the burgeoning hacker community has evolved
into a force to be reckoned with on the world stage.
An entire subculture of highly educated and sophisticated cyber
criminals exists. Much as the Italian Mafia in the U.S. moved into
narcotics trafficking in the 1970's, other organized criminal
syndicates have realized that identity theft, funds transfer and
extortion are the most lucrative business models in the information
age. A recent FBI study determined that 9 out of 10 American
businesses fell victim to cyber crime last year. The FBI Director,
Robert Mueller, declared cyber crime his number one criminal priority.
According to the Organization for Economic Cooperation and Development
one in three computers is compromised ? remotely controlled by someone
other than you.
The virtual takeover of Americans' privacy has been largely due to the
proliferation of Trojan Horse programs. Trojan Horse programs are
smaller, digital, and far more prolific than in the days of Troy.
Trojans cloak malicious code by appearing as innocuous attachments in
order to gain access inside a user's computer system. Once a Trojan
Horse has been introduced into a user's computer system, it plants a
program that listens for a variety of user communications and secretly
installs secret passageways into a user's computer. Through these
backdoors, remote hackers can launch malicious code and vandalize,
alter, steal, move, or delete any file on the infected computer. They
can also harvest sensitive user information such as financial account
numbers and passwords from the data in local files, and then transmit
them through backdoors.
Most Americans think that one must be very technical to invade someone
else's privacy in this fashion. That belief is dangerously misguided.
Much as one need not understand the inner workings of a handgun to use
one, you don't need to be a sophisticated programmer to be an adept
cyber crook. By merely running query in a search engine for Trojan
horse programs or keyloggers one will find tens of thousands of
relevant downloadable programs at their fingertips. One merely needs
to comprehend the lexicon associated with hacker tools to launch cyber
attacks. The Internet has become a virtual arms bizarre. The free
distribution of cyber weapons takes place millions of times every day.
Underground Internet Relay Chat rooms and Web sites like
http://astalavista.box.sk have mirrored the American gun shows; the
only exception being that all the guns and ammo are free.
Some examples might shock you:
Did you know that the Pentagon the most secure infrastructure in the
world was hacked for over eight months by a network of Chinese
computers named Titan Rain? These computers were implanted within the
DOD's internal networks so as to steal our aeronautical specifications
for advanced jets and space craft.
Did you know that the greatest threat facing our banks is not armed
robbers but cyber thieves stealing your identity and setting up
fraudulent lines of credit in your name? Only 2 percent of mounting
bank crime losses are from physical robberies now. Today's bandits now
hide safely in a hotel room halfway around the world while they steal
your financial futures.
Did you know that the 202 deaths of foreigners in Bali in 2002 were
financed by cyber crime? Imam Samudra was convicted of engineering the
devastating Bali nightclub bombings four years ago. Samudra published
a jailhouse autobiography that contained a chapter titled "Hacking,
Why Not?" Samudra urged fellow Muslim radicals to take the holy war
into cyberspace by attacking U.S. computers, with the particular aim
of committing credit card fraud online.
Today's' digital world has become a boon to an illegal underground
economy that trades in our secrets. Governments no longer have a
monopoly on technology and thus no longer have a monopoly on being Big
Brother. Indeed, the proliferation of criminal, digital Big Brothers
far exceeds the government's ability to protect citizens in
cyberspace.
A good place to begin reclaiming privacy and real cyber security in
vital areas of life and commerce is with the banks and corporations
that we do business with. Just as some corporations do a better job at
protecting the environment there are those who do a better job at
ensuring our privacy and cyber security. There is no way government
can do the job itself; the resources and resourcefulness of the entire
private sector are necessary.
In cyberspace privacy cannot exist without cyber security. You might
attempt to protect your computer and the information on it. But you
can't protect the security of every institution that holds information
about you. Much like the concept of "rewind" the concept of personal
privacy is becoming ancient history.
-=-
Tom Kellermann is a cyber security consultant who formerly held the
position of Senior Data Risk Management Specialist for the World Bank
Treasury Security Team. He was responsible for cyber intelligence and
policy management within the World Bank treasury and regularly advised
central banks around the world. He is a Certified Information Security
Manager (CISM).
?MMVI, CBS Broadcasting Inc. All Rights Reserved.
From isn at c4i.org Thu Jun 8 05:04:56 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 8 Jun 2006 04:04:56 -0500 (CDT)
Subject: [ISN] DOD data center worked overtime on stolen personnel files
Message-ID:
http://www.fcw.com/article94816-06-07-06-Web
By Bob Brewin
June 7, 2006
The Defense Manpower Data Center (DMDC) worked during the past weekend
to determine that a stolen Department of Veterans Affairs database,
which contained sensitive personnel information on 26.5 million
veterans, also contains information on as many as 1.1 million
active-duty personnel, a DOD spokesman said.
Army Lt. Col. Jeremy Martin, a Pentagon spokesman, said the VA
informed DOD June 1 that the stolen database may have included
information on active personnel.
DOD then asked the VA to transmit an original of the file stolen from
the home of a VA data analyst May 3 to DMDC. That file, Martin
emphasized, was encrypted and then transmitted over a secure link from
the VA to DMDC.
DMDC employees then worked over the weekend to compare records in the
VA file with records of active-duty and reserve personnel and
determined that records for as many as 1.1 million out of 1.4 million
active duty-personnel may have been included in the stolen VA
database, Martin said.
He added that records on 430,000 members of the National Guard and
645,000 members of the Reserves -- or roughly 90 percent of Reserve
and Guard personnel -- may have been on the stolen database.
Martin said DMDC employees worked over the weekend because "responding
to the compromise of service personnel's information was an urgent
priority and required immediate attention."
Once DMDC completed its work, DOD informed the VA June 5, and VA
Secretary Jim Nicholson announced the latest fallout from the data
theft June 6, which has consumed the agency since it surfaced in late
May.
The VA "committed to providing updates on this incident as new
information is learned," Nicholson said. The department is working
with DOD to notify all affected personnel.
Nicholson said the VA is in discussion with several entities to
provide credit-monitoring services for active-duty and military
personnel potentially at risk from the data theft.
David Rubinger, a spokesman for Equifax, a large credit-reporting
service, said the company has not received any such request from the
VA, but added that individual fraud alerts by veterans has spiked ever
since the VA announced the theft.
Martin said DMDC is still comparing its files with the VA database, a
process which it should complete by the end of the week, at which time
the center could determine a smaller number of records are at risk
from the VA data theft. Martin said the number of records at risk from
the theft could lower, but it will not increase.
From isn at c4i.org Thu Jun 8 05:05:21 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 8 Jun 2006 04:05:21 -0500 (CDT)
Subject: [ISN] IRS Laptop Lost With Data on 291 People
Message-ID:
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/07/AR2006060701987.html
By Christopher Lee
Washington Post Staff Writer
June 8, 2006
An Internal Revenue Service employee lost an agency laptop early last
month that contained sensitive personal information on 291 workers and
job applicants, a spokesman said yesterday.
The IRS's Terry L. Lemons said the employee checked the laptop as
luggage aboard a commercial flight while traveling to a job fair and
never saw it again. The computer contained unencrypted names, birth
dates, Social Security numbers and fingerprints of the employees and
applicants, Lemons said. Slightly more than 100 of the people affected
were IRS employees, he said. No tax return information was in the
laptop, he said.
"The data was not encrypted, but it was protected by a double-password
system," Lemons said. "To get in to this personal data on there, you
would have to have two separate passwords."
Lemons said the Treasury Department's inspector general for tax
administration is investigating the loss. The IRS is notifying
affected individuals and advising them on steps to guard against
identity theft. Lemons declined to name the airline or the employee,
or to say whether the worker was disciplined, citing the ongoing
investigation.
The Department of Veterans Affairs suffered a much larger data breach
last month when thieves broke into a VA data analyst's home and stole
a laptop and external hard drive containing personal information of
26.5 million veterans and active-duty military members.
Colleen M. Kelley, president of the National Treasury Employees Union,
said IRS employees are worried. "The first thing that comes to mind is
identity theft and why care and caution wasn't taken to encrypt their
data," she said.
Lemons said tax return information is always encrypted if IRS workers
carry it into the field. He could not cite a similar policy for
personal employee data but said, "typically it's our policy to encrypt
any sensitive information."
Kelley said she is pressing the IRS to give employee data the same
care and protection as taxpayer information. "They are taking this
seriously and I would expect to see some changes in policy and
procedures in the future," she said.
? 2006 The Washington Post Company
From isn at c4i.org Fri Jun 9 12:43:20 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:43:20 -0500 (CDT)
Subject: [ISN] CPA group says hard drive with data on 330,
000 members missing
Message-ID:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001030
By Jaikumar Vijayan
Computerworld
June 07, 2006
Adding to the lengthening list of organizations reporting data
compromises, the American Institute of Certified Public Accountants
(AICPA) today confirmed that a computer hard drive containing the
unencrypted names, addresses and Social Security numbers of nearly all
of its 330,000 members has been missing since February.
The hard drive had been accidentally damaged by an AICPA employee and
was sent out for repair to an external data-recovery service in
violation of the AICPA's policies, said Joel Allegretti, a spokesman
for the New York-based organization. It was on its way back to the
AICPA via FedEx but failed to arrive. Allegretti did not say when
exactly the drive went missing except to note that the package
containing it was due back at the AICPA "toward the end of February."
It took the organization until March 31 to "re-create the drive" and
determine what data it contained. The AICPA began notifying affected
members of the potential compromise of their personal data on May 8
and has since completed the task, Allegretti said.
Jim McClusky, a spokesman for FedEx Corp., said it is unclear what
exactly happened to the drive. But he stressed that it is a mistake to
characterize the package as being lost.
"We did handle the shipment, and we are working closely and
cooperatively with our customer to determine where the package might
be," he said. "It is still being investigated. At this point, we are
looking at it as a missing shipment; that doesn't mean it's lost."
Based on investigations so far, it does not appear that information on
the hard drive has been misused, Allegretti said.
Following the loss, the AICPA is offering affected members a year's
worth of free credit-monitoring services. The incident has also
prompted the group to begin deleting all Social Security numbers from
its member database.
While a note posted on the organization's Web site says the collection
of Social Security numbers has been a long-standing procedure, it
added that "we will cease collecting and maintaining them, except in
limited circumstances. And even for those, we are accelerating our
efforts to develop other means of uniquely identifying our members."
News of the AICPA breach comes amid a flurry of similar disclosures in
recent days. By far, the biggest was the May 22 disclosure by the U.S.
Department of Veterans Affairs that it had lost personal data on more
than 26.5 million veterans discharged since 1975. Since then, the
agency has admitted that the breach may have exposed personal
information on about 2.2 million active-duty National Guard and
Reserve troops as well (see "Personal info on 2.2M troops part of VA
data theft" [1]).
Since then, there have been similar disclosures elsewhere, including
Texas Guaranteed Student Loan Corp., a Round Rock, Texas-based
nonprofit organization. TG said that an outside contractor lost an
unspecified piece of equipment containing the names and Social
Security numbers of approximately 1.3 million borrowers.
On May 26, Sacred Heart University in Fairfield, Conn., announced that
one of its computers had been hacked into, resulting in the potential
compromise of data belonging to 135,000 alumni and would-be students.
And earlier this month, a password-protected laptop containing credit
card information on more than a quarter-million Hotels.com LP
customers was stolen from the car of an auditor at Ernst & Young LLP.
[1] http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000992
From isn at c4i.org Fri Jun 9 12:43:41 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:43:41 -0500 (CDT)
Subject: [ISN] VA cuts telework, bans employee-owned computers
Message-ID:
http://www.govexec.com/story_page.cfm?articleid=34291
By Daniel Pulliam
June 8, 2006
The Veterans Affairs Department has suspended use of employee-owned
computers for official agency business and has limited telework at one
of three major divisions, in an effort to prevent security breaches.
The agency also is issuing a directive reminding employees that
failure to comply with department policy regarding the protection of
personal data could result in administrative, civil or criminal
penalties, VA Secretary James Nicholson testified Thursday at a House
Government Reform Committee hearing. The panel called the hearing to
discuss the department's response to the early May theft of sensitive
records from the home of a VA employee.
A June 6 directive to the Veterans Benefits Administration bars
employees from removing claim files from their offices to work on them
from alternative locations, such as their homes. From June 26 until
June 30, all VA facilities will observe a Security Awareness Week.
Nicholson said about 35,000 employees have some level of access to the
department's servers through a virtual private network, also known as
a VPN, for the purpose of off-site access such as at an employee's
home.
Under recently issued policies, employees no longer will be allowed to
access the agency's VPN from personal computers. Every 30 days the VPN
settings will change, forcing laptop users to return to the agency for
updates and security screening, Nicholson testified.
But several outside observers have said that the data breach could
have been prevented if the VA employee had accessed the information he
needed over a network, rather than bringing it home on computer disks.
The GS-14 employee, who had worked at the department for 34 years, was
not authorized to telework, according to Nicholson, but he had been
taking data to his Aspen Hill, Md., home for the last three years. A
laptop computer owned by the employee and an external hard drive
containing the personal information of 26.5 million people was stolen
May 3 in what authorities say was a routine break-in.
VA officials took steps late last month to initiate the employee's
firing.
Nicholson said law enforcement authorities have apprehended a few
people who have committed burglaries similar to the one at the
employee's home, but the equipment did not match that containing the
data.
While the extent of the breach expanded this week to affect the
records of 2.2 million military personnel in addition to nearly all of
the nation's veterans, Nicholson said the agency has its hands "around
the four corners" of the hard drive's contents.
"I am outraged at the theft of this data and the fact an employee
would put it at risk by taking it home in violation of VA policies,"
Nicholson said in his testimony. "We remain hopeful that this was a
common theft, and that no use will be made of the VA data."
Nicholson said the VA's chief information officer currently lacks
enough authority to guard against data breaches, but as of last
October, the department started centralizing its information
technology functions around the CIO office.
At the hearing, David M. Walker, chief of the Government
Accountability Office, proposed that all federal agencies conduct a
privacy impact assessment to determine how personal information is
collected, accessed and stored. He also recommended that agencies
ensure they are in compliance with the 2002 Federal Information
Security Management Act.
Walker urged lawmakers to consider legislation that would require
agencies to disclose breaches involving personal data, and create
additional requirements for accessing such information.
"There is a gap here when it comes to sensitive personal information,"
Walker said.
Clay Johnson, deputy director for management in the Office of
Management and Budget, testified that he believes the administration
has enough authority to prevent future breaches across the government,
but a review will be conducted to see if "extra teeth" are needed.
"I'm told that there are dozens of security breaches involving laptops
[each year]," Johnson said. "None of these involved 26 million names.
This is the 100-year storm of security breaches."
Johnson said it is the administration's policy that all sensitive data
on laptops be encrypted, but it's not always enforced. In the VA case,
the information on the employee's stolen laptop and external hard
drive was not encrypted, leaving it vulnerable to identity thieves.
From isn at c4i.org Fri Jun 9 12:43:55 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:43:55 -0500 (CDT)
Subject: [ISN] NIST supplies IT security handbook to managers
Message-ID:
http://www.fcw.com/article94829-06-08-06-Web
By Wade-Hahn Chan
June 8, 2006
The National Institute of Standards and Technology has released a
draft of its Information Security Handbook. The handbook provides an
overview of information security measures to give managers a better
understanding of how to implement an information security program.
According to NIST's computer security resource center, the purpose of
the handbook is to inform the information security management team
about expected implementation and oversight of various aspects of
information security in their organizations. The publication includes
summaries of existing NIST publications and standards.
The 124-page document includes a section on designing, implementing
and overseeing a program for awareness and training for information
security standards. Other topics include summaries of the
responsibilities of agency heads, developing a life cycle for systems
development and detailing specific performance metrics for systems
evaluation. There is an extensive Frequently Asked Questions section
toward the end of the publication.
NIST is requesting that comments on the handbook be sent to
handbk-100 at nist.gov. NIST will be accepting comments until August 7.
From isn at c4i.org Fri Jun 9 12:44:12 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:44:12 -0500 (CDT)
Subject: [ISN] Microsoft product phones home every day
Message-ID:
http://www.theregister.co.uk/2006/06/08/ms_wga_phones_home/
By John Oates
8th June 2006
Microsoft has admitted that Windows Genuine Advantage (WGA) will phone
Redmond every day - something it neglected to tell users before they
installed it.
WGA is designed to detect pirated copies of MS software but is also
creating some false positives - two UK dealers have contacted the Reg
to report customers complaining that WGA had branded their software as
an illegal copy.
The software checks what is installed on your machine and then reports
back to Microsoft - it sends your IP number and information on your
software set-up. If your software is dodgy you will start receiving
pop-up reminders from Microsoft.
Michaela Alexander, head of anti-piracy at Microsoft UK, told the Reg:
"First of all this is a pilot - customers have the choice to subscribe
or not. WGA is very careful about which license keys are checked -
some numbers have been leaked and therefore have been culled by
Microsoft. If customers bought a genuine copy of Windows but as a
result of a poor installation or a repair a different license key was
used then WGA would flag it as not genuine."
But Alexander said all this was detailed in the opt-in process. But
she added: "The last thing we want is unhappy customers so we are
investigating this - but it is a pilot and this is part of the
process."
The word from the US is that Microsoft will change WGA so it only
phones home once a fortnight, instead of every day, and will do a
better job of letting users know what the software is doing. More from
Seattle Post Intelligencer here [1].
One of the dealers with the original problem emailed us the following:
The problem was caused by an active-x control being blocked by IE
security. The fix was to go to http://www.microsoft.com/genuine/diag
and following instructions.
This runs through a series of checks to ensure that the validation
process can operate correctly, then advises of the necessary changes
in IE setup to permit correct validation. In the case of our clients,
the problem was correctly diagnosed and the resolution worked fine.
It's just alarming that for a simple security problem, Microsoft had
informed the end user (by way of a message displayed on their screen)
that they might be [quote] "The victim of software counterfeiting". ?
[1] http://seattlepi.nwsource.com/local/6420AP_WA_Microsoft_Monitoring_Piracy.html
From isn at c4i.org Fri Jun 9 12:44:29 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:44:29 -0500 (CDT)
Subject: [ISN] Academy hackers under investigation
Message-ID:
http://www.theoaklandpress.com/stories/060806/loc_2006080604.shtml
By DAVE GROVES
Of The Oakland Press
June 8, 2006
BLOOMFIELD HILLS - The principal of the acclaimed International
Academy said he believes the school's image will not be marred by what
he describes as serious but immature mistakes made by five students.
Bert Okma said he and other academy employees are completing an
investigation into the mostly freshmen students' hacking of a school
information system and the alteration of several academic grade
records.
"I think they saw it as a game ... and a chance to improve their
academic standing," the principal said. "If they had been willing to
dedicate as much time to their studies as they did to this, we
wouldn't be dealing with the issue."
Administrators have had extensive conversations with the students, who
came forward after several teachers recognized disparities between
grades in their personal records and those appearing on the school's
computer system.
An investigation revealed that sometime in November, the students had
installed software on the system that provided them with faculty user
names and passwords.
International Academy's Joint Steering Committee has reviewed the
situation and determined that the five students will face disciplinary
action ranging from loss of academic credit to expulsion.
The extent of the consequences will be determined through hearings
conducted with school officials, the students and their parents in
coming weeks. Okma said mitigating circumstances will be considered
individually at that time.
Students also could face criminal charges depending on the
investigation fi ndings and desires of school administrators.
Lt. Steve Cook of the Bloomfield Township Police Department said that
the school has not yet requested police involvement in the matter.
"Depending on what their investigation reveals, could there be
criminal charges issued? I would say there is that possibility," he
said.
Cook did not want to speculate on potential charges.
Meanwhile, academy staff are undertaking the daunting task of
reviewing all test grades recorded for all students this year. This is
because the students responsible for the computer security breach are
suspected to have changed both their own grades and those of others.
Okma said that while teachers are frustrated, disappointed and hurt by
the revelation, they remain resolved not to let it mar the
overwhelmingly positive view they have of the student body as a whole.
Okma believes the same sentiment will prevail outside the school.
"The reputation of the International Academy is sound and well-earned,
and I don't see this impacting that," he explained. "Everybody
understands that young people can make mistakes."
And such mistakes on the part of local youth are not unprecedented.
Last month, three North Farmington High School students were suspended
after obtaining staff passwords to district computers. Officials are
working to fi gure out what the students intended to do with the
information.
The Farmington Hills Police Department is investigating the matter.
Chief William Dwyer said felony charges could come next month.
"It's still ongoing," he said. "This is an extensive investigation."
Farmington school officials were alerted to the theft after a student
came forward to report the incident. With the passwords, the students
would have had to access the system while at school and not at home.
Officials do not know if any of the students accessed the system.
No information on the students has been released.
From isn at c4i.org Fri Jun 9 12:45:02 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:45:02 -0500 (CDT)
Subject: [ISN] Linux Advisory Watch - June 9th 2006
Message-ID:
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| June 9th, 2006 Volume 7, Number 24n |
| |
| Editorial Team: Dave Wreski dave at linuxsecurity.com |
| Benjamin D. Thomas ben at linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for motor, typespeed, lynx-cur,
xmcd, postgresql, centericq, freeradius, spamassassin, dia, tetex,
squirrelmail, mc, gdm, gnome-panel, dovecot, evolution, x11, libtiff,
openldap, MySQL, postgresql, quagga, zebra, and rug. The distributors
include Debian, Fedora, Mandriva, Red Hat, and SuSE.
---
Security on your mind?
Protect your home and business networks with the free, community
version of EnGarde Secure Linux. Don't rely only on a firewall to
protect your network, because firewalls can be bypassed. EnGarde
Secure Linux is a security-focused Linux distribution made to protect
your users and their data.
The security experts at Guardian Digital fortify every download of
EnGarde Secure Linux with eight essential types of open source
packages. Then we configure those packages to provide maximum
security for tasks such as serving dynamic websites, high
availability mail, transport, network intrusion detection,
and more. The result for you is high security, easy
administration, and automatic updates.
The Community edition of EnGarde Secure Linux is completely
free and open source. Updates are also freely available when
you register with the Guardian Digital Secure Network.
http://www.engardelinux.org/modules/index/register.cgi
---
EnGarde Secure Linux v3.0.7 Now Available
Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.7 (Version 3.0, Release 7). This
release includes several bug fixes and feature enhancements
to the Guardian Digital WebTool and the SELinux policy,
several updated packages, and several new packages
available for installation.
The following reported bugs from bugs.engardelinux.org
are fixed in this release:
#0000067 SIMAP AND SPOP3 packages are built
disabling plaintext auth
Several other bugs are fixed in this release as well.
New features include:
* A new package (hwlister) which can be used to
generate an inventory of all the hardware which
comprises your system. This package is now
installed by default with EnGarde Secure Linux.
* PHP was re-build with cURL support and a race
condition was fixed in shadow-utils.
* The latest stable versions of: MySQL (5.0.22),
apache (2.0.58), asterisk (1.2.8), bacula (1.38.9),
imap (2004g), openssl (0.9.8b), php5 (5.1.4),
postfix (2.2.10), snort (2.4.4), sudo (1.6.8p12),
syslog-ng (1.6.11), vim (6.4.010), and zaptel (1.2.6).
* Several new packages:
- binstats (1.08)
Binstats is a statistics generation tool for installed
programs. It is also useful for cleaning up a system by
helping find duplicate executables, unused libraries,
statically linked binaries and duplicate man pages.
- bitchx (1.1)
BitchX is an IRC (Internet Relay Chat) client that is
based on ircII (but heavily modified). It is ncurses based
and allows the user to get onto IRC without requiring the
use of GUI client.
- bittorrent (4.9.2)
Bittorrent is a scatter-gather network file transfer
protocol used for distributing files. It works in the
opposite method of regular downloads with regard to the
fact that the more people are currently downloading a
file using bittorrent, the faster it will go.
- ethereal (0.99.0)
Ethereal is a network protocol analyzer. This version is
ncurses based and allows the user to examine and capture
data from a live network.
- hyperion (1.0.2)
Hyperion is an IRC daemon that allows clients to connect
to it. This is the server that is used by Freenode.
- john (1.7.0.2)
"John" is a password cracker whose primary purpose is to
detect weak passwords in order to strengthen the overall
security of a system.
- libapache-mod_fcgid (1.09)
mod_fcgid is an apache web server module that acts as a
binary compatibility alternative to mod_fastcgi. It comes
with a new process management strategy.
- libapache-mod_mono (1.1.14)
mod_mono is an apache web server module that provides
ASP.NET support for the apache web server.
- libapache-mod_security (1.9.3)
mod_security is an apache web server module that acts as an
intrusion detection and prevention engine for web applications.
It acts as another line of defense between improperly coded
applications and the webserver.
- makejail (0.0.5)
Makejail, in conjunction with binstats, determines which binaries
a program is going to need to be chrooted and creates a chroot
jail for it.
- mc (4.6.0)
Midnight Commander is a console based ncurses visual file manager
similar to Norton Commander. It has the ability to handle
archives, FTP site, and many other files built in.
- paketto (1.10)
The Paketto Keiretsu is a collection of tools that use new and
unusual strategies for manipulating TCP/IP networks. scanrand is
said to be faster than nmap and more useful in some scenarios.
- psad (1.4.5)
PSAD is a collection of utilities that work with the linux
firewalling code (IPTables) to detect port scans and other
suspect traffic. It also includes the ability to configure
threshold levels based on how stringent your ruleset is.
- slat (2.0)
SLAT provides a systematic way of determining if your SE Linux
policy achieves your desired security goal. This is a useful
tool when creating or modifying SELinux policy.
All new users downloading EnGarde Secure Linux for the first
time or users who use the LiveCD environment should download this
release.
Users who are currently using EnGarde Secure Linux do not need
to download this release -- they can update their machines via
the Guardian Digital Secure Network WebTool module.
http://www.linuxsecurity.com/content/view/123016/65/
----------------------
Linux File & Directory Permissions Mistakes
One common mistake Linux administrators make is having file and
directory permissions that are far too liberal and allow access
beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this
article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one
is available right here on linuxsecurity.com.
http://www.linuxsecurity.com/content/view/119415/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New motor packages fix arbitrary code execution
31st, May, 2006
Updated package.
http://www.linuxsecurity.com/content/view/122940
* Debian: New typespeed packages fix arbitrary code execution
31st, May, 2006
Niko Tyni discovered a buffer overflow in the processing of network
data in typespeed, a game for testing and improving typing speed,
which could lead to the execution of arbitrary code.
http://www.linuxsecurity.com/content/view/122948
* Debian: New lynx-cur packages fix several vulnerabilities
1st, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/122956
* Debian: New xmcd packages fix denial of service
2nd, June, 2006
The xmcdconfig creates directories world-writeable allowing local
users to fill the /usr and /var partition and hence cause a denial of
service. This problem has been half-fixed since version 2.3-1.
http://www.linuxsecurity.com/content/view/122971
* Debian: New PostgreSQL packages fix encoding vulnerabilities
3rd, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/122984
* Debian: New centericq packages fix arbitrary code execution
3rd, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/122985
* Debian: New freeradius packages fix arbitrary code execution
3rd, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/122986
* Debian: New spamassassin packages fix remote command execution
6th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123002
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
* Fedora Extras 5 update: dia-0.95-3
6th, June, 2006
This update fixes CVE-2006-1550, CVE-2006-2453, CVE-2006-2480.
http://www.linuxsecurity.com/content/view/123007
* Fedora Core 4 Update: spamassassin-3.0.6-1.fc4
6th, June, 2006
Resolves CVE-2006-2447. Note that you are affected by this bug only
if you launched spamd with both --vpopmail and --paranoid, which is
not a common configuration.
http://www.linuxsecurity.com/content/view/123011
* Fedora Core 5 Update: spamassassin-3.1.3-1.fc5
6th, June, 2006
3.1.3 Resolves CVE-2006-2447. Note that you are affected by this bug
only if you launched spamd with both --vpopmail and --paranoid, which
is not a common configuration. Also included are bug fixes from
3.1.2.
http://www.linuxsecurity.com/content/view/123015
* Fedora Core 4 Update: tetex-3.0-10.FC4
7th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123033
* Fedora Core 4 Update: squirrelmail-1.4.6-7.fc4
7th, June, 2006
CVE-2006-2842 Squirrelmail File Inclusion
http://www.linuxsecurity.com/content/view/123034
* Fedora Core 5 Update: mc-4.6.1a-13.FC5
7th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123035
* Fedora Core 5 Update: gdm-2.14.4-1.fc5.3
7th, June, 2006
This update resolves an issue in gdm-2.14.4-1.fc5.2 where GDM would
choose the wrong X server path.
http://www.linuxsecurity.com/content/view/123036
* Fedora Core 5 Update: gnome-panel-2.14.2-1.fc5.1
7th, June, 2006
The gnome-panel package has been rebuilt against the latest
evolution-data-server package.
http://www.linuxsecurity.com/content/view/123037
* Fedora Core 5 Update: squirrelmail-1.4.6-7.fc5
7th, June, 2006
CVE-2006-2842 Squirrelmail File Inclusion Vulnerability
http://www.linuxsecurity.com/content/view/123038
* Fedora Core 5 Update: dovecot-1.0-0.beta8.1.fc5
7th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123039
+---------------------------------+
| Distribution: Mandriva | ----------------------------//
+---------------------------------+
* Mandriva: Updated evolution packages fix DoS (crash) vulnerability
on certain messages.
1st, June, 2006
Evolution, as shipped in Mandriva Linux 2006.0, can crash displaying
certain carefully crafted images.
http://www.linuxsecurity.com/content/view/122966
* Mandriva: Updated xorg-x11 packages to address bug with keyboard
layouts.
5th, June, 2006
A misapplied patch in a recent X.org updated caused keyboard layout
problems which resulted in some users being unable to use the
CTRL-ALT-function key combination to switch to a console, as well as
other keyboard mapping issues.
Updated packages have been re-patched to correct these issues.
http://www.linuxsecurity.com/content/view/123000
* Mandriva: Updated libtiff packages fixes tiffsplit vulnerability
5th, June, 2006
A stack-based buffer overflow in the tiffsplit command in libtiff
3.8.2
and earlier might might allow attackers to execute arbitrary code via
a long filename.
http://www.linuxsecurity.com/content/view/123001
* Mandriva: Updated openldap packages fixes buffer overflow
vulnerability.
7th, June, 2006
A stack-based buffer overflow in st.c in slurpd for OpenLDAP might
allow attackers to execute arbitrary code via a long hostname.
Packages have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/123029
* Mandriva: Updated MySQL packages fixes SQL injection vulnerability.
7th, June, 2006
SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x
before 5.0.22 allows context-dependent attackers to execute arbitrary
SQL commands via crafted multibyte encodings in character sets such
as SJIS, BIG5, and GBK, which are not properly handled when the
mysql_real_escape function is used to escape the input. MySQL 4.0.18
in Corporate 3.0 and MNF 2.0 is not affected by this issue. Packages
have been patched to correct this issue.
http://www.linuxsecurity.com/content/view/123030
* Mandriva: Updated postgresql packages fixes SQL injection
vulnerabilities.
7th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123032
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Moderate: quagga security update
1st, June, 2006
Updated quagga packages that fix several security vulnerabilities are
now available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/122967
* RedHat: Moderate: zebra security update
1st, June, 2006
Updated zebra packages that fix several security vulnerabilities are
now available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/122968
* RedHat: Moderate: dia security update
1st, June, 2006
Updated Dia packages that fix several buffer overflow bugs are now
available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/122969
* RedHat: Moderate: spamassassin security update
6th, June, 2006
Updated spamassassin packages that fix an arbitrary code execution
flaw are now available. This update has been rated as having moderate
security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123010
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
* SuSE: cron local privilege escalation
31st, May, 2006
The code in do_command.c in Vixie cron does not check the return code
of a setuid call, which might allow local users to gain root
privileges if setuid fails in cases such as PAM failures or resource
limits. This problem is known to affect only distributions with
Linux 2.6 kernels, but the package was updated for all distributions
for completeness. This problem is tracked by the Mitre CVE ID
CVE-2006-2607.
http://www.linuxsecurity.com/content/view/122947
* SuSE: kernel (SUSE-SA:2006:028)
31st, May, 2006
Multiple vulnerabilities have been fixed in the linux kernel.
http://www.linuxsecurity.com/content/view/122949
* SuSE: rug (SUSE-SA:2006:029)
31st, May, 2006
Updated package.
http://www.linuxsecurity.com/content/view/122950
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request at linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
From isn at c4i.org Fri Jun 9 12:42:47 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:42:47 -0500 (CDT)
Subject: [ISN] Social Engineering, the USB Way
Message-ID:
http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1
By Steve Stasiukonis
JUNE 7, 2006
We recently got hired by a credit union to assess the security of its
network. The client asked that we really push hard on the social
engineering button. In the past, they'd had problems with employees
sharing passwords and giving up information easily. Leveraging our
effort in the report was a way to drive the message home to the
employees.
The client also indicated that USB drives were a concern, since they
were an easy way for employees to steal information, as well as bring
in potential vulnerabilities such as viruses and Trojans. Several
other clients have raised the same concern, yet few have done much to
protect themselves from a rogue USB drive plugging into their network.
I wanted to see if we could tempt someone into plugging one into their
employer's network.
In the past we had used a variety of social engineering tactics to
compromise a network. Typically we would hang out with the smokers,
sweet-talk a receptionist, or commandeer a meeting room and jack into
the network. This time I knew we had to do something different. We
heard that employees were talking within the credit union and were
telling each other that somebody was going to test the security of the
network, including the people element.
We figured we would try something different by baiting the same
employees that were on high alert. We gathered all the worthless
vendor giveaway thumb drives collected over the years and imprinted
them with our own special piece of software. I had one of my guys
write a Trojan that, when run, would collect passwords, logins and
machine-specific information from the user's computer, and then email
the findings back to us.
The next hurdle we had was getting the USB drives in the hands of the
credit union's internal users. I made my way to the credit union at
about 6 a.m. to make sure no employees saw us. I then proceeded to
scatter the drives in the parking lot, smoking areas, and other areas
employees frequented.
Once I seeded the USB drives, I decided to grab some coffee and watch
the employees show up for work. Surveillance of the facility was worth
the time involved. It was really amusing to watch the reaction of the
employees who found a USB drive. You know they plugged them into their
computers the minute they got to their desks.
I immediately called my guy that wrote the Trojan and asked if
anything was received at his end. Slowly but surely info was being
mailed back to him. I would have loved to be on the inside of the
building watching as people started plugging the USB drives in,
scouring through the planted image files, then unknowingly running our
piece of software.
After about three days, we figured we had collected enough data. When
I started to review our findings, I was amazed at the results. Of the
20 USB drives we planted, 15 were found by employees, and all had been
plugged into company computers. The data we obtained helped us to
compromise additional systems, and the best part of the whole scheme
was its convenience. We never broke a sweat. Everything that needed to
happen did, and in a way it was completely transparent to the users,
the network, and credit union management.
Of all the social engineering efforts we have performed over the
years, I always had to worry about being caught, getting detained by
the police, or not getting anything of value. The USB route is really
the way to go. With the exception of possibly getting caught when
seeding the facility, my chances of having a problem are reduced
significantly.
You've probably seen the experiments where users can be conned into
giving up their passwords for a chocolate bar or a $1 bill. But this
little giveaway took those a step further, working off humans' innate
curiosity. Emailed virus writers exploit this same vulnerability, as
do phishers and their clever faux Websites. Our credit union client
wasn't unique or special. All the technology and filtering and
scanning in the world won't address human nature. But it remains the
single biggest open door to any company's secrets.
Disagree? Sprinkle your receptionist's candy dish with USB drives and
see for yourself how long it takes for human nature to manifest
itself.
- Steve Stasiukonis is VP and founder of Secure Network Technologies Inc.
Special to Dark Reading
From isn at c4i.org Fri Jun 9 12:43:00 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 9 Jun 2006 11:43:00 -0500 (CDT)
Subject: [ISN] 'BlueBag' PC sniffs out Bluetooth flaws
Message-ID:
http://www.infoworld.com/article/06/06/07/79045_HNbluebag_1.html
By Robert McMillan
IDG News Service
June 07, 2006
If you happened to fly through Milan's Malpensa Airport last March,
your mobile phone may have been scanned by the BlueBag.
Billed as a research lab on wheels, BlueBag was created by Milan's
Secure Network SRL to study how malicious software might be able to
spread among devices that use the Bluetooth wireless standard.
Basically, it's a Bluetooth-sniffing computer hidden in a suitcase [1]
(Note: PDF file) that was rolled through train stations, a shopping
center, and even a computer security conference show floor this year
to see how many Bluetooth-enabled devices attackers could potentially
infect with a worm or a virus.
The answer: quite a lot. In just under 23 hours of travel, BlueBag was
able to spot more 1,400 devices with which, in theory, it could have
connected. Among the discoverable devices were a number of Nokia
Corp.'s mobile phones and TomTom International BV's Go global
positioning systems, said Stefano Zanero, Secure Network's co-founder
and chief technology officer.
"Most of the devices that we found were from the same manufacturers
because their default Bluetooth connection setup is to be
discoverable, which is very good for ease of use, but very bad for
security," he said.
Though many Bluetooth devices are designed to be hidden or detectable
for very short periods of time, some manufacturers make their products
detectable by default to simplify hook up with other Bluetooth-enabled
machines -- a car sound system for example. Unfortunately, this
practice also makes life easier for hackers, Zanero said. "Any
discoverable device is potentially vulnerable to attacks," he said.
For example, BlueBag found 313 devices with the OBEX (Object Exchange)
vCard and vCalendar exchange service enabled, making them prey for
known Bluetooth virus attacks.
BlueBag's data is going to help Zanero and his researchers understand
how attackers might use Bluetooth's ability to connect with other
devices to create a targeted attack.
In a scenario they've envisioned, the bad guys could infect Bluetooth
devices in a train station one morning, telling them to infect other
equipment and seek out specific pieces of information. "You can
deliver your malware, leave it for a few hours, and then catch it when
[the user] goes home," Zanero said. "This makes it possible to perform
the targeted attack that we have in mind."
At the August Black Hat USA 2006 conference in Las Vegas, the Secure
Network team plans to unveil some proof of concept malware showing how
this type of attack might work.
The hard part has been devising a protocol that will allow the malware
to report back to an attacker. And since the researchers can't
actually infect a bunch of Bluetooth phones, they need BlueBag to
provide them with data so they can estimate how such malware might
spread. "This gives you the figures you need for creating some small,
not-very-reliable models of how these worms could interact," Zanero
said.
Secure Network's research, which was co-sponsored by antivirus vendor
F-Secure Corp. is not the first to highlight Bluetooth's security
vulnerabilities.
A year ago, hackers showed how they could connect to hands-free
Bluetooth systems in some cars [2] to eavesdrop on telephone
conversations and even talk to unsuspecting drivers. The software,
called Car Whisperer, took advantage of poor security programming
techniques on the part of the car manufacturers.
And variants of the Cabir Bluetooth viruses [3] have been around for
two years now. Cabir, which has never become widespread, preys on the
kind of discoverable phones that BlueBag measured.
To avoid being bitten by Bluetooth attacks, Zanero says users should
check their settings and make sure their device is set to be "hidden"
or "non-discoverable."
This isn't a panacea, but it will make things harder for attackers.
Using Bluetooth is "like sex," Zanero said. "It's better with
precautions."
[1] http://www.securenetwork.it/bluebag_brochure.pdf
[2] http://www.infoworld.com/article/05/08/03/HNcarwhisperer_1.html
[3] http://www.f-secure.com/v-descs/cabir.shtml
From isn at c4i.org Mon Jun 12 04:22:44 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:22:44 -0500 (CDT)
Subject: [ISN] Another federal breach exposes employee records
Message-ID:
http://www.govexec.com/dailyfed/0606/060906tdpm1.htm
By Heather Greenfield
National Journal's Technology Daily
June 9, 2006
The Energy Department disclosed to Congress on Friday that it suffered
a security breach from a hacker in September that compromised 1,500
personnel records.
The news broke just as a House Energy and Commerce Oversight and
Investigations Subcommittee was supposed to start a hearing on how
secure Energy Department computers are in light of recently reported
data breaches at the Internal Revenue Service and Veterans Affairs
Department.
Kentucky Republican Ed Whitfield, chairman of the Subcommittee, said
there is no excuse for the department to have its current "F" in
cyber-security compliance -- or for waiting eight months to tell the
Energy secretary or his committee about the security breach.
"It's unbelievable [that] 1,500 personnel files can be compromised
with Social Security numbers," Whitfield said. "The impact that can
have on individuals is quite disturbing."
Full Energy and Commerce Committee Chairman Joe Barton, R-Texas,
visited the hearing room to express his outrage at the data breach and
later called Energy Secretary Samuel Bodman. "If the administration
won't do something about this incident, this committee will," he said.
While most of the details of the hacking incident were discussed later
in executive session, a government agency that tests the department by
breaking into its computer system said the attack was at the National
Nuclear Security Administration.
NNSA Administrator Linton Brooks said he learned of the
"sophisticated" hacking incident in September. He said he did not know
whose job it was to tell Bodman, but he wished he had.
"Mr. Brooks, I'm going to recommend you be removed from office, and I
think you would do the country a service if you resigned," Barton
said. Brooks said that because the breach was labeled a
counterintelligence issue, the two sides of the organization each
assumed the other had notified the secretary. Barton called that
explanation "hogwash."
Energy Chief Information Officer Thomas Pyke said he was aware of
various hacking incidents but only learned of the personnel data
involved two days ago.
Pyke said the department faces hundreds of thousands of attacks each
day. In the event where the records were exposed, he said the attack
penetrated both a firewall and a detection system.
Glenn Podonsky, director of the office of security and safety
performance assessment, told lawmakers that in November, his team
successfully accessed Energy's unclassified computer system. He said
they gained access to financial and personal data, and could have
impersonated or monitored department executives.
"We basically had domain control," Podonsky said. He said with
security improvements made since then that the office could break in
but not gain domain control.
He said his office believes Energy is moving too slowly in making
security improvements and noted that part of the problem is because of
work done by outside contractors.
Whitfield also wanted to know why the Energy Department has failed to
report 50 percent of attacks to its computer systems. Podonsky said he
agreed they should be reported to help law enforcers track them.
?2006 by National Journal Group Inc. All rights reserved.
From isn at c4i.org Mon Jun 12 04:24:18 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:24:18 -0500 (CDT)
Subject: [ISN] Washington Whispers
Message-ID:
http://www.usnews.com/usnews/politics/whispers/articles/060619/19whisplead.htm
By Paul Bedard
6/19/06
'Secretary of Tech' Is No Fan of E-mail
He may be in charge of the gizmos used to find illegal border crossers
and deadly chemicals in subways, but Homeland Security Secretary
Michael Chertoff likes to keep his personal tech simple. "I don't use
E-mail," he confides. "You just get deluged with a lot of garbage."
Chertoff describes his experience with electronic mail as "picking
through genuine work E-mails and invitations to baby showers." Worse:
"People sometimes will think you've gotten something that you actually
haven't gotten." Been there.
Chertoff insists he's not out of touch just because he isn't glued to
a BlackBerry. "I rely on people communicating with my staff," he says.
"At any moment, I can request an update, and I can always be reached."
His E-mail discipline has roots in last year's Hurricane Katrina, when
unfiltered messages about the levee breach flooded in after he'd left
for the night. "It is unhelpful to have 15 or 16 E-mails coming from
all different directions being thrown at you," he says. "When people
rely on E-mail chains, it can sometimes leave the decision maker
unable to sort out good information from information that's just plain
wrong." His new rule for aides: Verify the info before clicking
"forward." As for this hurricane season, he's doing better than E-mail
by personally traveling to the Gulf region to view rescue drills. "I'm
going down there," he says, "and kicking the tires myself."
[...]
From isn at c4i.org Mon Jun 12 04:24:32 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:24:32 -0500 (CDT)
Subject: [ISN] Audit finds security weaknesses at NASA center
Message-ID:
http://www.gcn.com/online/vol1_no1/40990-1.html
By Patience Wait
GCN Staff
06/09/06
At a time when the public has a heightened awareness of computer
security problems at government agencies, the NASA inspector general
has found that one of the space agency's centers has not put in place
sufficient IT security to protect data and systems from possible
compromise.
"Weaknesses in these areas could lead to the compromise of the
computer network," the IG found.
The center audited by the IG was not identified, and only a summary of
the report [1] was released June 2.
According to the report summary, NASA system administrators at the
center did not:
* Periodically review critical firewall audit logs and modems used to
protect the computer network
* Monitor for the use of files and commands with security risks
* Consistently perform system backups
* Meet NASA requirements for storing backup media.
The IG's audit found other problems as well. System administrators
also accessed a key server containing security information without
adequate encryption and did not remove unnecessary services from the
network. Software patches were not installed in a timely manner to fix
security weaknesses in the network servers, and vulnerabilities found
during security scans of the systems were not promptly fixed. Finally,
NASA had no formal policy governing foreign nationals' use of laptops
or other electronic devices while visiting the NASA center or working
onsite.
"We recommended that the NASA center take actions to improve security
controls over the network, to include developing, implementing, and
enforcing procedures and controls over auditing and monitoring, the
use of software and unnecessary services, the installation of patches,
and system backups," the summary concluded. "We also recommended that
the center develop and implement a formal policy to prohibit foreign
nationals' onsite use of their own laptops and other electronic
devices."
Of 13 specific recommendations made by the IG, NASA agreed with nine,
and has already taken or planned corrective actions. The internal
auditors planned follow-up actions on those issues not yet resolved.
[1] http://www.hq.nasa.gov/office/oig/hq/audits/reports/FY06/ig-06-008-summary.pdf
From isn at c4i.org Mon Jun 12 04:27:24 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:27:24 -0500 (CDT)
Subject: [ISN] Ex-Boss Describes Sys Admin's Anger During PaineWebber
Sabotage Trial
Message-ID:
http://www.informationweek.com/news/showArticle.jhtml?articleID=188703100
By Sharon Gaudin
InformationWeek
Jun 8, 2006
Newark, N.J. -- On the day a system administrator at UBS PaineWebber
learned his annual bonus had fallen short by about $15,000, he leveled
an ultimatum at his boss: give him a written contract for more money
or he was walking out the door, according to testimony Thursday in the
federal criminal computer sabotage trial.
But prosecutors charge that quitting his job wasn't the only thing on
his mind in late February of 2002. They say Roger Duronio, a
three-year employee in the financial giant's IT department, had
already hatched a plan to plant malicious code on the network that
would wipe out critical data across the country and drive down the
company's stock price.
Once Duronio packed up and was escorted out the building that day, he
headed straight to a broker's office to buy stock options that would
pay out if UBS suffered a setback. And that, the government contends,
put the final stages of Duronio's plot into action.
"On the day the actual bonuses were paid out.... Roger came into my
office and, in somewhat of an upset tone, said he wanted a written
contract for his compensation," Rajeev Khanna, manager for UBS's Unix
Systems Group at the time of the attack, told the jury in his second
day of testimony in U.S. District Court before Judge Joseph Greenaway.
"He said if he did not have a contract by the end of the day, he was
going to start packing.... He was visibly upset. It was his tone and
there was some redness on his face."
Duronio faces four counts, including computer sabotage, securities
fraud, and mail fraud, in connection with the incident, which left
about 8,000 of the company's brokers without the ability to trade for
a day or more, and 9,000 other workers without the ability to access
their desktops. It also leveled servers in the company's home office
in Weehawkin, N.J., and in nearly every branch office around the
country.
Duronio reportedly wanted to take home $175,000 a year. At the time he
quit his job at UBS, he was making a base salary of $125,000 and had
an opportunity for a maximum bonus of $50,000.
It was the loss of that $15,000 that pushed Duronio to walk away from
his job and try to make bigger money by investing in short-term "put
options," which are a type of investment that only pay out if the
company's stock price falls. The shorter the term--in this case 11
days--the bigger the payout.
The prosecution says Duronio started building components of the
malicious code " what they're calling a logic bomb " the previous
November.
By the time Duronio found out for sure in February that he wasn't
getting the bonus he'd been expecting, the logic bomb was already
built and loaded onto the main host server in UBS's data center in
Weehawkin, N.J., and on about 370 branch servers around the country.
When he quit his job that day, the government says, the code was
already sitting quietly on the servers just waiting for 9:30 a.m. on
March 4 to go off.
In earlier testimony at the trial, PaineWebber employees described how
the network still hasn't recovered, four years later.
But Chris Adams, Duronio's defense attorney and a partner at Walder,
Hayden & Brogan in Roseland, N.J., says his client not only didn't
commit the crime, he was a valuable employee at UBS PaineWebber, which
changed its name to UBS Wealth Management USA in 2003.
UBS' network was riddled with security holes that left them wide open
to attack, Adams said in his opening statements Tuesday. The network
also left Duronio wide open to someone else using his ID and passwords
to masquerade as the system administrator and move around undetected
in the system.
On cross examination Thursday, Adams asked Khanna, who had been
Duronio's supervisor, if the defendant had been a good worker and
integral to the IT team.
Khanna replied that he "would not say" Duronio had been outstanding.
But he agreed with Adams that he had marked Duronio as someone who
"consistently meets and sometimes exceeds" expectations.
Khanna described Duronio as a valuable worker even in his main
testimony in front of the prosecutor, Assistant U.S. Attorney Mauro
Wolfe. "Overall, I gave him a satisfactory rating," he testified. "He
did what he was asked to do and he did it well."
Khanna said that's why he went to bat for Duronio and sought a raise
for him in 2000, not long after the defendant started work at UBS.
Duronio's pay went up $10,000 that year. "He expressed some concerns
about cash flow and not having enough money coming in on a monthly
basis," said Khanna.
But by the fall of 2001, it became clear that the drooping economy and
the troubled market were taking a toll on UBS. Khanna said he simply
had a much smaller pool of bonus money to work with that year. As the
manager of a few people himself, Duronio was even in on some of the
conversations about having to lessen workers' bonuses that year,
Khanna added.
And even when Duronio threatened to quit on the spot if he wasn't
given a contract that day, Khanna says he went to his supervisor and
to Human Resources to see if anything could be done. Later, when
Khanna escorted Duronio back to his desk to collect his things, he
said he had already packed them up into a box.
The defense will continue its cross-examination of Khanna on Friday
morning.
Copyright ? 2006 CMP Media LLC, All rights reserved.
From isn at c4i.org Mon Jun 12 04:23:03 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:23:03 -0500 (CDT)
Subject: [ISN] China's hi-tech military disaster
Message-ID:
http://www.timesonline.co.uk/article/0,,2089-2220162,00.html
By Michael Sheridan
Far East Correspondent
The Sunday Times
June 11, 2006
A DULL boom shook the misty bamboo forests of Guangde county, 125
miles southwest of Shanghai, last Sunday, and a plume of smoke rose in
the sky, causing Chinese villagers to look up in alarm from their
tasks.
Within 24 hours China officially admitted that a "military aircraft"
had crashed, that President Hu Jintao had ordered an investigation and
that state honours would be bestowed on the victims.
Security teams sealed off the area, carting away the charred remains
of 40 people and collecting wreckage with painstaking care. It looked
like a routine military accident.
In fact the crash would reverberate all the way to Washington and Tel
Aviv, revealing details of a covert Chinese espionage effort to copy
Israeli technology in an attempt to match the United States in any
future air and sea battle.
The first clues were given by two Chinese-controlled newspapers in
Hong Kong, Ta Kung Pao and Wen Wei Po. On Monday they printed articles
disclosing that the plane was a Chinese version of the formidable
Airborne Warning and Control System (Awacs) aircraft flown by the
United States to manage air, sea and land battles.
They indicated that it was a Russian Ilyushin four-engined cargo jet,
rebuilt to house a conspicuous array of radars and codenamed KJ-2000.
The doomed flight, they implied, had been a test mission.
The disaster robbed China of 35 of its best electronic warfare
technicians, according to sources in Hong Kong. There were also five
crew members on board.
With memories fresh in Beijing of a Boeing 767 bought for the use of
former president Jiang Zemin and found to be riddled with
eavesdropping devices, there were bound to be suspicions of sabotage.
The Communist party showed how seriously it took the crash by
entrusting the inquiry to Guo Boxiong, vice-chairman of the party?s
central military commission, who handles sensitive security matters.
It was without question a calamity for the Chinese military. But for
the Americans, who lost a spy plane forced down by a Chinese
interceptor jet in 2000, it was not a cause for sincere mourning. The
US Seventh Fleet is ranged off the Chinese coast, in constant contact
with Chinese planes and submarines probing its readiness to defend the
self-ruled democracy on Taiwan.
Both America and Taiwan spend undisclosed billions trying to penetrate
the wall of secrecy that surrounds China's military build-up, which
was criticised once again last week by Donald Rumsfeld, the US defence
secretary.
Spies from Taiwan are known to have scored remarkable successes. In
one recent case reported by The Washington Post, they placed in their
president's hands the proceedings of a secret standing committee
meeting on Taiwan policy within days of its taking place.
American intelligence, by contrast, concentrates on a war fought with
science and stealth to preserve its technological advantage.
For as long as the Chinese have tried to buy, steal or copy high-grade
military technology - at least since the early 1990s - the CIA and the
White House have sought to frustrate them. China relies on foreign
know-how. British propellers from the Dowty company are fitted to its
Y-8 early warning aircraft and radars made by Racal Electronics are
installed on its naval surveillance planes.
But the crown jewels of electronic warfare are made in America, which
means that China's hunger for secrets can be exploited by its foes.
Late in the cold war, the CIA supplied faulty computer items to the
Soviets, which resulted in death and destruction. So suspicions of
treachery in Beijing are bound to be reinforced by the tale of
intrigue and deception that unfolded upon examination of what led to
the fatal end of the KJ-2000.
"The PLA [People's Liberation Army] air force and navy have long
required airborne early warning aircraft," stated a report by the US
Congressional Research Service in November 2001. "Each is looking for
8-10 aircraft to supplement their own unsuccessful efforts."
In 1999 the Chinese thought they had the perfect deal. A Russian
Ilyushin-76 transport, serial number #762, was bought and flown to a
military airfield in Israel, where it was fitted with the world's most
advanced Awacs system, the Phalcon, perfected by technicians at Israel
Aircraft Industries. The cost: $250m (?135m).
Inevitably, the CIA heard of the deal and the issue went all the way
to the White House, which exerted tremendous pressure on Israel.
On July 11, 2000, Ehud Barak, then the Israeli prime minister, broke
off from peace talks at Camp David to tell President Bill Clinton that
the sale had been cancelled. Barak confided that he had sent a
personal letter of regret to Jiang Zemin.
But Chinese persistence ensured the matter did not end there. In 2002,
according to aviation specialist websites, aircraft #762, stripped of
the Phalcon system, was flown from Israel back to Russia and on to an
airfield in east China that is home to the Nanjing Research Institute
of Technology.
Moreover, the Chinese technicians had not wasted their time in Israel.
"It's not unreasonable to believe that the Israelis offered the
Chinese industrial participation to seal this high dollar deal," said
a US Department of Defence analyst, quoted in a report for the US Army
War College.
"The Phalcon system makes extensive use of commercial off-the-shelf
products, which gives easy access to the basic building blocks of the
system," the unnamed analyst added.
In 2003 aviation specialists photographed two IL-76 Awacs prototypes,
by then codenamed KJ-2000, on test flights over Nanjing. One was #762,
the other was coded B-4040.
Late last year the local aviation authorities - which in China are
controlled by the military - bought sophisticated Monopulse secondary
surveillance radars from Telephonics Corp, a New York-based subsidiary
of the Griffon Corporation, which supplies the US Awacs fleet.
The radars were due for delivery early in 2006. Their purpose was
stated to be civil aviation, but critics in Congress say the Chinese
buy such items for "dual use" in military systems.
According to specifications published by the Federation of American
Scientists, such radars can be closely integrated with an Awacs plane
to enhance targets. There is now speculation among military and
aviation attach?s in the region that the ill-fated KJ-2000 may have
been testing a hitherto unproven technical capability of precisely
this nature when it crashed.
That should provide more than enough questions for Vice-Chairman Guo
and his bloodhounds from the military commission to get their teeth
into.
Copyright 2006 Times Newspapers Ltd.
From isn at c4i.org Mon Jun 12 04:23:15 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:23:15 -0500 (CDT)
Subject: [ISN] Microsoft to ease up on piracy check-ins
Message-ID:
http://news.com.com/Microsoft+to+ease+up+on+piracy+check-ins/2100-7348_3-6082334.html
By Joris Evers
Staff Writer, CNET News.com
June 9, 2006
Microsoft is cutting the cord on its antipiracy tool.
The software maker this month plans to update the Windows Genuine
Advantage Notifications program so that it only checks in with
Microsoft once every two weeks, instead of after each boot-up, a
company representative said Friday. By year's end, the tool will stop
pinging Microsoft altogether, the representative said.
The changes come after a critic likened the antipiracy tool to
spyware. He found that the program, designed to validate whether a
copy of Windows has been legitimately acquired, checks in with
Microsoft on a daily basis. Microsoft did not disclose in any of its
documentation that the application would phone home.
Microsoft earlier this week had vowed to better disclose the actions
of WGA Notifications. Now the company says it will gradually let go of
the program once it is installed on Windows PCs.
"We are changing this feature to only check for a new settings file
every 14 days," Microsoft said in a statement on its Web site. "Also,
this feature will be disabled when WGA Notifications launches
worldwide later this year."
No meaningful data is exchanged during the check-in with Microsoft,
the software maker said. Unlike the initial validation, which sends
system information to Microsoft, the check-in operation is limited to
the download of the new settings file, the company said.
Microsoft launched WGA in September 2004 and has gradually expanded
the antipiracy program. It now requires validation before Windows
users can download additional Microsoft software, such as Windows
Media Player and Windows Defender. Validation is not required for
security fixes.
Originally, people had to validate their Windows installation only
when downloading additional Microsoft software. Since November last
year, however, Microsoft has been pushing out the WGA Notifications
tool along with security updates to people in a number of countries,
including the U.S.
The first time that users run WGA Validation to check if their Windows
version is genuine, the information sent to Microsoft is the Windows
XP product key, PC maker, operating system version, PC bios
information and the user's local setting and language. Microsoft
discloses in the WGA tool license that this information is being sent.
Copyright ?1995-2006 CNET Networks, Inc. All rights reserved.
From isn at c4i.org Mon Jun 12 04:23:57 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 12 Jun 2006 03:23:57 -0500 (CDT)
Subject: [ISN] Linux Security Week - June 12th 2006
Message-ID:
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| June 12th, 2006 Volume 7, Number 24n |
| |
| Editorial Team: Dave Wreski dave at linuxsecurity.com |
| Benjamin D. Thomas ben at linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, perhaps the most interesting articles include "Building a
heterogeneous home network for Linux and Mac OS X," "Fundamentals of
Storage Media Sanitation," and "Password Cracking and Time-Memory
Trade Off."
---
Security on your mind?
Protect your home and business networks with the free, community
version of EnGarde Secure Linux. Don't rely only on a firewall to
protect your network, because firewalls can be bypassed. EnGarde
Secure Linux is a security-focused Linux distribution made to protect
your users and their data.
The security experts at Guardian Digital fortify every download of
EnGarde Secure Linux with eight essential types of open source
packages. Then we configure those packages to provide maximum
security for tasks such as serving dynamic websites, high
availability mail, transport, network intrusion detection,
and more. The result for you is high security, easy
administration, and automatic updates.
The Community edition of EnGarde Secure Linux is completely
free and open source. Updates are also freely available when
you register with the Guardian Digital Secure Network.
http://www.engardelinux.org/modules/index/register.cgi
---
EnGarde Secure Linux v3.0.7 Now Available
Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.7 (Version 3.0, Release 7). This
release includes several bug fixes and feature enhancements
to the Guardian Digital WebTool and the SELinux policy,
several updated packages, and several new packages
available for installation.
http://www.linuxsecurity.com/content/view/123016/65/
---
pgp Key Signing Observations: Overlooked Social and
Technical Considerations
By: Atom Smasher
While there are several sources of technical information on using
pgp in general, and key signing in particular, this article
emphasizes social aspects of key signing that are too often ignored,
misleading or incorrect in the technical literature. There are also
technical issues pointed out where I believe other documentation
to be lacking.
http://www.linuxsecurity.com/content/view/121645/49/
---
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------+
| Security News: | <
http://www.theregister.co.uk/2006/06/10/machines_analyse_malware/
By Robert Lemos
SecurityFocus
10th June 2006
The reverse engineer - better known amongst security researchers by
his nom de plume, Halvar Flake - created an automated system for
classifying software into groups, a process for which he believes
machines are much better suited.
Research using the system has underscored the sometimes-arbitrary
decisions humans make in classifying malicious programs, he said.
Among other anomalies, he found that Sasser.D has only a 69 per cent
correlation to previous members of the Sasser family, while two
examples of bot software, Gobot and Ghostbot, are more similar.
"It's like putting donkeys and bunnies in the same class because they
both have long ears," Dullien, the founder and CEO of
reverse-engineering tool maker Sabre Security, said in a recent
interview.
The current problems with classifying and naming viruses are among the
reasons that automated classification technology has once again become
a focus of research. The plethora of names for specific malicious
programs has caused confusion amongst consumers, despite a project
that seeks to provide guidance, if not to consumers, to software
analysts and incident responders.
In January, when a new computer virus appeared on the internet,
anti-virus companies rushed to issue alerts and inundated consumers
with a confusing array of names: Blackmal, Nyxem, MyWife, KamaSutra,
Blackworm, Tearec and Worm_Grew all describe the same mass-mailing
computer virus.
Several research projects hope to improve upon that record.
Last month, at the annual conference of the European Institute for
Computer Anti-Virus Research (EICAR), Microsoft released early results
of its development of a system to automate classification of malicious
software based on the actions performed by the code at runtime.
"A significant challenge we have today is the large number of active
malware samples, totaling on the order of tens of thousands, and
increasing rapidly," Microsoft researcher Tony Lee said in a recent
blog posting following the conference. "It has become apparent to us
that the traditional manual analysis process is not adequate in
dealing with malware of this order of magnitude, and that we should
seek automation technologies to aid human analysts."
The researchers modeled a piece of malicious software as the series of
actions that the software takes at the operating system level.
Referred to as "events" in a paper written by Lee and anti-malware
program team manager Jigar Mody, the actions can include data copying,
changing registry keys and opening network connections.
The researchers then trained a recognition engine using an adaptive
clustering algorithm - similar to self-organising maps - and
classified a previously unseen subset of malware using the trained
system. Using more clusters typically resulted in better
classification. When the software samples were classified based on 100
events, accuracy fell below 80 per cent, while classification based on
500 and 1,000 events typically has accuracy rates above 90 per cent.
Reverse engineer Dullien takes a different approach. Working with
other researchers at Sabre Security, he used automated tools to
deconstruct the actual code of virus and bot software, removing any
common libraries that the code might use and then comparing the
relationships between functions to characterise the software.
Using a database of 200 samples of bot software, a test case for the
automated process resulted in two major families of code, three
smaller groups, and several pairs and singletons. The system also
identified variants of bot software not recognised by a
signature-based anti-virus system.
Dullien believes that static analysis is a better approach to malware
classification than Microsoft's runtime analysis. Actions that a
malicious program does not perform right away - known as time-delayed
triggers - can foil runtime analysis, he said. And virus and
attack-tool writers could add a few lines of code to a program to
confuse runtime analysis, he added.
"The approach presented in the paper can be trivially foiled with very
minor high-level-language modifications in the source of the program,"
he stated in a blog entry analysing Microsoft's system.
Microsoft declined to make its researchers available for interviews.
However, in the paper, the authors argued that a combination of both
static analysis and runtime analysis would likely perform best. For
example, static analysis appears to deliver results more quickly;
Microsoft's behavioral classification requires three hours to cluster
400 files at the 1,000 event limit, according to the paper.
In some ways, software classification resembles the state of
biological classification back in the time of Carl Linnaeus. The 18th
century botanist pushed the scientific community of his day into
accepting a hierarchical classification system for plants and animals.
However, early classifications relied on external similarities, much
in the way that many of today's classifications rely on external
attributes of programs rather than their internal processes.
At least one other project hopes to help human analysts do a better
job of classification.
OffensiveComputing.net, a project founded by researchers Val Smith and
Danny Quist, aims to create a database of malware that records a
number of basic attributes of the code, including checksums,
anti-virus scanner results, and what type of packer the malware uses
to compress itself. The project started in response to the increase in
code sharing amongst virus and attack-tool writers and the faster
development of exploits and the faster incorporation of those exploits
into existing malicious software, OffensiveComputing's Smith said.
"The biggest benefit is more rapid response to complex threats. As the
synergy between viruses, Trojans, worms, rootkits and exploits grows,
waiting for a solution becomes more dangerous."
OffensiveComputing's database gives incident response workers and
analysts access to meaningful data about malicious software, which is
especially necessary until automated analysis programs, such as
Microsoft's and Dullien's classification systems, mature. The project
strives to be adaptable, involve the community, have measurable
results, and remain open, Smith said.
"There is an arms race going on between analysts and malware authors,
so any solution will have to keep pace with advances on both sides."
This article originally appeared in Security Focus.
Copyright ? 2006, SecurityFocus
From isn at c4i.org Tue Jun 13 08:07:07 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 13 Jun 2006 07:07:07 -0500 (CDT)
Subject: [ISN] OU has been getting an earful about huge data theft
Message-ID:
http://www.athensnews.com/issue/article.php3?story_id=25220
By Jim Phillips
Athens NEWS Senior Writer
2006-06-12
Ohio University has spent more than $77,000 sending letters to alumni
and students affected by a computer security breach.
It's harder to put a price tag on the blow to alumni goodwill, as the
number of people affected by hacking of OU computer databases
continues to rise with the discovery of new hacking incidents.
"This is damaging OU's reputation far more than its drunk football
coach, magazine pictorials or its #2 party-school ranking, and you can
tell (OU President Roderick) McDavis that this really sucks. A lot!"
wrote one incensed alum May 10.
Another signed off his May 3 e-mail with, "You incompetent f---ing
a--holes. I will never donate a penny to you."
After announcing two computer security breaches in May, OU got
hundreds of e-mails from alums regarding the issue. The Athens NEWS
has examined more than 600 of them, provided by the university in
response to a records request.
The great majority were simply requests for information, trying to
learn whether the sender's personal data were accessed by the hackers,
and to get more detailed guidance on what to do if they were.
A number of writers, however, expressed anger, frustration and in some
cases, a distinct reluctance to donate any more money to OU.
"It was my intention to leave a sizable endowment to OU, but not any
longer," announced one.
"My husband has graciously given to the university's alumni
association many times; we will now think twice before we do it
again," warned another.
Other comments along these lines include:
"I am disgusted with you and will NEVER do anything to help you
financially." "I will definitely be reflecting on this incident the
next time I receive an appeal for a donation to OU." "I have donated
to the university for many years, but this shortcoming, and other
matters having to do with the university, make me hesitant to make
further contributions."
Some alums questioned why OU keeps Social Security numbers on
long-gone graduates, including those who haven't been donors. Some
asked to have their data removed from OU computers - a request the
university promptly grants.
Dozens wanted to know if OU will cover the expenses they rack up in
taking precautions against identity theft, or financial losses if
they're the victim of such thefts.
A handful talked about lawsuits, and one alum simply sent OU a bill.
Molly Tampke, interim vice president for university advancement,
admitted last week that she can't gauge how the alumni perception of
the computer data breaches will affect giving to OU.
Tampke acknowledged that the incidents seem to have undermined alumni
confidence in some cases, but she continued to hold out hope that
alums will look past the problems when it comes time to open their
checkbooks.
"It does concern me that alumni would feel like they couldn't trust
us," Tampke said. "In terms of long-term effects for financial
support, I don't think we know. But I think ultimately people believe
in us, and want to support Ohio University... I don't want to look
cavalier by any means, but I believe in the loyalty of our alums."
THE PICTURE JUST GOT darker, however. While investigating the previous
cases in which hackers gained access to personal data - including
Social Security numbers - on close to 200,000 students and alums, OU
recently found two more such incidents. These affect the personal data
of about 2,480 university subcontractors and an additional 4,900
current and former students.
According to a story in the Columbus Dispatch Saturday, the latest
hackings put OU at the top of universities nationally for the amount
of computer data stolen, well ahead of the next school on the list,
the University of Southern California.
More than one alum correspondent has questioned the competency of
those watching over OU's data cache, and one question in particular
keeps coming up in the e-mails sent by alums: Why did you have my
Social Security number on file, anyway?
"I'm trying to fathom a situation in which a serious breach of Social
Security numbers could occur and not be discovered for 13 months,"
wrote one alum who works in fraud and compliance for Microsoft. "How
could this possibly happen without utter rank incompetence and a
carefree attitude toward data security?... I hope your IT staff was
fired."
Another writer noted that "the trend across the country is to de-link
Social Security numbers from other important identifying information"
in computer databases.
Tampke said the reason for holding the numbers is "primarily to track
lost alumni." When an alum moves and doesn't leave a forwarding
address, she said, OU will give the person's Social Security number to
a tracking service, to find the new residence.
Given the risk of data theft, is this convenience worth it?
"That's a good question," Tampke said, adding that the issue is
"something that we want to sit down and have a very structured
conversation about," once the university has the fallout from the
hacking cases under control.
A recent internal memo on OU's damage-control efforts estimates that
the university has spent approximately $77,090 on printing and mailing
almost 244,000 letters to alums and donors affected by the security
breaches.
OU has sent out close to 126,000 e-mails in connection with the
incidents as well, the memo shows. Tampke said these numbers should be
pretty much up to date, and that the volume of correspondence over the
case has ebbed considerably.
"It's tapered off a lot," she said. "We're not getting nearly so many
e-mails. I got maybe three letters this week."
Some of the e-mails received by OU, however, suggest that the story is
far from over.
Dozens of writers have hinted - or come right out and said - that OU
should pick up the tab for any credit-monitoring services affected
alums have to pay for, or any losses they suffer through identity
theft. A smaller number have implied, with varying degrees of
specificity, that they may take the matter to court.
"If there is any financial damage or compromise to my other accounts
stemming from this breach of security, I will hold Ohio University at
fault and seek legal counsel to recover any and all loss, with
punitive damages," one alum threatened. "I will further network with
my other alumni to seek a class-action suit for the same."
OU has responded to questions about money liability with a standard
statement, which says that before OU would cover any losses related to
identity theft, it "would need some sort of definitive evidence that
an individual had experienced financial liability not otherwise
remedied by the laws that protect victims of identity theft and that
such harm had occurred as a direct result of this particular database
system compromise rather than a similar compromise of some other
organization's system in which the individual might also have a
record."
Some alums have called this a dodge. "As far as proving that identity
theft was a direct result of your system 'compromise,' you know as
well as anyone that you cannot prove that it was the only place that
information could have been received," one writer complained.
Barb Nalazek, OU's assistant legal affairs director, said that while
it may seem unfair to require an alum to prove that an identity theft
stemmed from OU's computer breach and not some other hacking incident,
in today's world of widespread data theft, this is only realistic.
"We're seeing breaches all the time," she said. "I don't want to sound
like I'm making excuses, but you really have to say, 'Do you really
know that no other company that has all that information on you didn't
breach that?'... It sounds like an excuse, but it's true."
On the expense issue, Nalazek noted that there are a few companies
that will provide one free 90-day credit watch per year.
By using all of these companies, she said, a person can keep an
ongoing watch on his or her credit record, "and it doesn't cost
anything... For what is an appropriate sort of due diligence, it
really is something we all should be doing, and there doesn't have to
be any financial cost."
As for losses incurred through identity theft, Nalazek pointed out
that the law already limits a person's individual financial liability
in the case of, say, misuse of a credit card.
"As long as you're monitoring your credit-card statements, your
liability is extremely limited," she said.
No one, apparently, has yet sued OU over the security breach, but the
e-mails contain a handful of veiled threats, not-so-veiled threats,
and queries on this issue.
"Is there already a class-action lawsuit against Ohio University at
this time?" asked one alum.
"Like many of my classmates, I'm also investigating Ohio University's
potential criminal and civil liability," noted another.
"If there is a lawsuit, believe me I will happily join it," announced
a third.
Nalazek confirmed that the idea of a class-action suit has apparently
crossed the mind of more than one OU alum, but said she knows of no
organized effort to file one.
"It's certainly not that we haven't heard those two words bandied
about by people contacting us," she acknowledged. "But as far as that
happening, there's nothing that we know of."
One resourceful alum dispensed with hints, threats and allegations,
and simply billed OU for the time she spent checking her credit
status. Calling the university "fully liable" for her outlay of time,
she e-mailed an invoice for three hours of work at her "usual billing
rate" of $165 an hour.
In its latest response, OU Legal Affairs Director John Burns has
contacted the firm the woman works for, asking for confirmation of her
hourly rate.
"(The alum's) hourly compensation claim is unique so far, and I am not
sure what Ohio University's decision will be," Burns states in a June
1 e-mail.
Not everyone who expressed an e-mail opinion about the data breach was
outraged. Some were understanding, a few sympathetic. One was nearly
whimsical.
"Please stop giving my information to identity thieves," the alum
asked politely. "Thank you for your consideration." In a postcript he
added, "I would give you the rest of my contact information, but I am
afraid it would be stolen."
From isn at c4i.org Tue Jun 13 08:07:31 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 13 Jun 2006 07:07:31 -0500 (CDT)
Subject: [ISN] Data breaches raise more questions about computer security law
Message-ID:
http://www.govexec.com/dailyfed/0606/06126p1.htm
By Daniel Pulliam
dpulliam at govexec.com
June 12, 2006
Recently reported breaches compromising sensitive data held by four
agencies have officials looking at ways to improve federal information
security laws.
Security experts and former government officials started pointing
fingers at alleged weaknesses in the 2002 Federal Information Security
Act earlier this year. In recent interviews, some said they believe
that the incidents could lead to changes in the law.
Alan Paller, director of research at the SANS Institute in Bethesda,
Md., a nonprofit cybersecurity research organization, called the
compromise of personnel records of 1,500 Energy Department employees
revealed last week, combined with last month's theft of personal data
on 26.5 million people from a Veterans Affairs Department employee's
home, "an indictment of FISMA."
In two unrelated incidents, laptop computers containing the personal
information -- including Social Security numbers, birthdates and names
-- of about 200 employees at the Social Security Administration and
the Internal Revenue Service were lost recently.
FISMA requires agencies to identity and categorize risks to their
information technology systems and then implement security controls
based on those risks.
Paller said agencies are using their technology security funds to pay
independent contractors to write FISMA-required reports as part of the
certification and accreditation process, leaving little money for
implementing actual security measures. A certification and
accreditation process is necessary, but it should be continuous and
automated, Paller said.
"There was a thought that to check security, you had to check with
people and talk to people, but because most attacks are done by
systems, you need systems to check the security," Paller said. "The VA
spent tens of millions of dollars certifying and accrediting these
systems, and they are not secure."
A VA spokesman said that the agency received $77 million for
information security in fiscal 2006 and $78 million has been proposed
for fiscal 2007.
Paller and Bruce Brody, vice president for information security at the
Reston, Va-based market research firm INPUT and associate deputy
assistant secretary for cyber and information security at the VA from
2001 to 2004, have been critical of FISMA in the past, and both met
with staffers from the House Government Reform Committee recently to
discuss possible changes to the law.
Brody, who also served as chief information security officer at the
Energy Department until December 2005, said that the Energy security
breach occurred during his tenure at the agency, but within the
National Nuclear Security Administration, which is autonomous from the
department under the National Nuclear Security Act.
Paller said he believes that effective reform is possible, but Brody
said the policy and legislative communities are unlikely to get the
changes right unless information security practitioners are involved.
Clay Johnson, the Office of Management and Budget's deputy director
for management, said last week OMB has 95 percent of the laws and
policies it needs to hold agencies accountable for locking down their
information systems, but "extra teeth" may be needed. He did not
specifically refer to FISMA.
Johnson said in testimony before the House Government Reform Committee
that the administration believes it generally has good policies and
laws for protecting data, but is "prepared to take more action as
necessary."
In a request for comment on the matter, OMB gave no indication that
changes to FISMA are being considered.
OMB spokeswoman Andrea Wuebker said that FISMA was established to
ensure that agencies meet consistent standards for security
requirements for information systems. Agencies are responsible for
ensuring that they are FISMA compliant and that their employees are
trained to work with tough security measures, Wuebker said.
"Sound standards and policies are in place, and OMB works with
agencies to make sure practices match these policies," Wuebker said.
?2006 by National Journal Group Inc. All rights reserved.
From isn at c4i.org Tue Jun 13 08:06:32 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 13 Jun 2006 07:06:32 -0500 (CDT)
Subject: [ISN] Lights out
Message-ID:
http://www.fcw.com/article94825-06-12-06-Print
By Brian Robinson
June 12, 2006
Most federal agencies and an increasing number of state and local
offices have made significant investments in communications services
that run over government-owned or commercial fiber-optic networks.
Fiber can carry much more data than traditional copper lines and at
lower costs.
Besides government operations, a growing part of the country's economy
depends on the Internet and its fiber-based backbone - everything from
online shopping and entertainment to banking and health care.
But given its vital importance as a communications medium and general
concerns about terrorist threats to the country's economic and
critical infrastructure, just how secure are the country's fiber
networks?
Experts say fiber, like any network technology, is indeed vulnerable
to a determined eavesdropper with the know-how and right equipment.
That means agencies should safeguard sensitive data.
From a broader, more systemic perspective, however, the country's
fiber-optic infrastructure is more redundant and thus more resilient
than it was a few years ago, reducing the chances that an attacker
could cripple large segments of it, experts say. But localized
problems stemming from physical damage to the infrastructure -
intentional or not - still have the potential to affect its
availability.
Not a priority
For an increasingly technology-dependent country, the security of
fiber-optic networks is apparently low on the list of concerns for
those whose job it is to worry about such threats.
For example, in its recently published "Federal Plan for Cyber
Security and Information Assurance," the National Science and
Technology Council identified the Internet's Domain Name System,
network routing protocols and a host of other process control systems
most in need of security research and development. The report did not
address fiber networks and other infrastructure issues.
Meanwhile, the U.S. Cyber Consequences Unit (US-CCU), an independent
research group that advises the Homeland Security Department, did not
include the fiber infrastructure in a recent draft of a cybersecurity
issues checklist it gave to DHS.
That checklist identified measures at the enterprise or organizational
level, said Scott Borg, director of the US-CCU. The unit will probably
investigate fiber infrastructure security issues later, he said.
With technology budgets tighter than ever, organizations may decide
that fiber security is just not that pressing compared with other
cybersecurity issues, said Bernard Skoch, executive vice president of
Suss Consulting and a former principal director for network services
at the Defense Information Systems Agency.
"People in government are in a classic fight over funding and have to
prioritize their needs," Skoch said. "In some ways, it takes a greater
level of sophistication to say why something is not needed, and right
now, I think there are a lot of people who have concluded that the
fiber infrastructure mesh is well-enough protected."
Hacking fiber
Some experts say the notion that fiber networks are sufficiently
secure may not be a well-informed conclusion. Tapping fiber without
detection is difficult but certainly not impossible, they say.
One of the classic assumptions about such networks is that it is
inherently more secure than copper cable. A signal traveling over
copper tends to leak outside the cable, so anyone with a sensitive
scanner could pick up those signals and access the data.
Because fiber uses various wavelengths of light rather than electrons
to carry data, it does not routinely suffer from similar leakage.
Stealing data in transit - between the two ends of the fiber - means
someone has to physically break a fiber strand to tap it or somehow
bend the fiber enough to induce light to exit the fiber. That is not
an easy task, some experts say.
Physically tapping into fiber means you will interrupt the data
stream, which will alert a network operator, said Frank Dzubeck,
president of Communications Network Architects, a network integrator.
"To detect the light passively, you have to first strip away all of
the shielding around the fiber and then put something in place to
catch the light bouncing off the glass of the fiber strand," he said.
"And then you have to determine what the data is that you are
capturing. This is all involved specialty equipment. It's not
something you can purchase on the open market."
But Seth Page, chief executive officer of New York-based Oyster
Optics, which makes intrusion-detection equipment, said he believes
that the fiber infrastructure is vulnerable to hackers who can tap
fiber with common maintenance tools that are available worldwide.
"This same equipment with modifications can be used to capture 100
percent of the voice, video and data going across the network," Page
said. "All you need to do is get access to the fiber loop serving a
particular building."
Hackers don't even need to get all of the data traveling on the fiber,
he said. The packet headers reveal information about phone numbers, IP
addresses and the fiber service provider. Even if an organization
encrypts data and a hacker does not have the means to decrypt it, the
packet headers would not be encrypted, he said. The hacker could save
the rest of the data and attempt to decrypt it later.
The equipment that can capture light from the fiber can also easily
inject light into it, Page said. That would allow a hacker to modify
or jumble the data going through the fiber, corrupting it or causing a
denial-of-service attack on the network.
Perhaps the biggest danger to fiber networks is the so-called backhoe
effect, a decidedly low-tech danger.
It happens when contractors or private landowners dig into the ground
and inadvertently break fiber cables that telecommunications companies
have laid. As recently as 2004, telecom facilities were still among
the most likely to be affected by excavation work. The Common Ground
Alliance, an industry organization aimed at limiting damage caused by
such events, said telecom operations made up 27.5 percent of the
reports it received about such accidents.
"It's still probably the most significant threat," said M.E. "Mich"
Kabay, associate professor of information assurance at Norwich
University in Vermont.
Nerve-wracking map
Fiber's vulnerability to errant digging underscores the notion that
deliberate tampering poses a real risk, Kabay said.
"The telcos are so concerned about making sure people don't dig where
their fiber-optic cables are," he said. "But on the other hand, if you
were a terrorist, where would you then go to bring down all of the
northeast corridor communications?"
The potential chaos that such sabotage could cause was highlighted in
2003 when a doctoral thesis written by George Mason University
graduate student Sean Gorman sparked widespread consternation in
industry and government.
Gorman used public sources to compile a map of all the major business
and industrial sectors in the country and overlay a representation of
the fiber infrastructure that connected them. With a single mouse
click, anyone could see the location of communications choke points
for vital sectors of the U.S. economy.
The infrastructure's resiliency has improved in recent years, however,
through an effort to re-engineer it into a hierarchical structure of
fiber rings that mesh together, Dzubeck said. "Nothing is centralized
in one spot anymore, so if you want to take out one of these [rings],
you'd have to take out many, many sections at once," he said. "There
are multiple paths communications can take through these rings, and if
you do cut a cable, you are only cutting one small section."
All of the fiber in place in the United States now is redundant
because of this new configuration, said Ron Martin, vice president of
service provider development for optical networking at Cisco Systems.
"Every fiber now has an alternate path through which the data can be
sent," Martin said. "If there is a fiber breakage or an equipment
failure, the communication reroutes itself, causing maybe hundreds of
milliseconds of disruption at most."
IP design also enables this dynamic rerouting. IP breaks data streams
into various packets that a network can route via different paths and
then reassemble at the final destination.
"We've not figured out a way to stop people [from] digging up our
fiber with backhoes, so the key is having some way to allow customers
to recover from those events," said Steven Parrott, a product
development manager at Sprint. "With IP, if you lose a particular
fiber path, it's very simple just to reroute the data."
The bottom line for users is that there is minimal, if any, disruption
in their communications, Parrott said.
Despite continuing instances of fiber breakages, the Alliance for
Telecommunications Industry Solutions reported that facility outages
were at a record low in 2004, and it was one of the best years for
network reliability.
Nobody fixes leaks in a roof unless it's raining, said John Pescatore,
vice president and research fellow at Gartner Research, who previously
worked at the National Security Agency and the U.S. Secret Service.
Without a smoking gun to indicate a threat or attack, most officials
do not worry about fiber's security, Pescatore said. "People don't
care."
[...]
From isn at c4i.org Tue Jun 13 08:07:57 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 13 Jun 2006 07:07:57 -0500 (CDT)
Subject: [ISN] Backdoors, Bots Biggest Threats To Windows
Message-ID:
http://www.informationweek.com/news/showArticle.jhtml?articleID=189400457
By Gregg Keizer
TechWeb.com
Jun 12, 2006
Backdoor Trojans are a clear and present danger to Windows machines,
Microsoft said Monday as it released the first-ever analysis of data
collected by the 15-month run of its Malicious Software Removal Tool,
a utility that seeks out and destroys over five-dozen malware
families.
According to Microsoft's anti-malware engineering team, Trojans that,
once installed, give an attacker access and control of a PC, are a
"significant and tangible threat to Windows users."
Of the 5.7 million unique PCs from which the Malicious Software
Removal Tool (MSRT) has deleted malware, 3.5 million of them -- 62
percent -- had at least one backdoor Trojan.
"Backdoor Trojans are a large part of the malware landscape," said
Matt Braverman, program manager on the team, and the author of a
report on the tool's data that was released Monday at Boston's TechEd
2006 conference.
Bots, a subset of Trojan horses, were especially "popular" on infected
PCs, Microsoft's data showed. Bots are small programs that
communicates with the controlling attacker, usually through Internet
Relay Chat (IRC) channels, less frequently via instant messaging. Of
the top 5 on the MSRT's removed malware list, three families -- Rbot,
Sdbot, and Geobot -- were bots.
Once backdoors and bots are accounted for, all other malware types
were seen on only a minority of machines.
"Rootkits are certainly present, but compared to other [malware types]
they're not extremely widespread yet," added Braverman. A rootkit was
present on 14 percent of the nearly 6 million computers that had to be
cleaned.
Since it debuted in January 2005, the MSRT has been run some 2.7
billion times on an increasing number of PCs. In March 2006, the last
month for which data was compiled, 270 million unique systems ran the
tool, which is automatically downloaded and run on systems with
Windows/Microsoft Update turned on.
Over those 15 months, the MSFT found malware on one in every 311
computers.
"I think that's a valid, accurate number," argued Braverman, even
though the MSFT doesn't detect and delete every form of malicious
software, and runs predominantly on Windows XP SP2 (and not at all on
older operating systems, such as Windows 98 and Windows NT).
The MSFT data also seemed to validate the long-standing premise that
Windows XP SP2 is more secure than earlier Microsoft operating
systems, said Braverman.
Although Windows XP SP2 systems account for 89 percent of all machines
from which malware was deleted, when the numbers are "normalized" --
to take into account the number of tool executions on each OS -- SP2's
rate falls precipitously to just 3 percent.
Together, Windows XP Gold (the original edition launched in October
2001) and Windows XP SP1 account for 63 percent of the deletions when
the numbers are normalized.
"This makes sense," Braverman's report read. "Windows XP SP2 includes
a number of security enhancements and patches for vulnerabilities not
found in earlier versions of Windows XP, making it more difficult to
be infected by malware in some cases.
"And it is likely that a user who has not yet upgraded to the latest
service pack would be more susceptible to social-engineering-based
attacks. In fact, this seems to hold true for Windows 2000 and Windows
Server 2003 as well, where the latest versions of the service packs
for those operating systems have the lowest number of normalized
disinfections compared with the older versions of the operating
systems."
"No, I couldn't claim that Windows XP SP2 itself was the only reason
why its normalized numbers are so low," admitted Braverman, who
pointed to the prodding those users get to turn on Automatic Update
(which not only patches their OS, but also runs MSFT monthly) and the
idea that they're less likely to engage in potentially risky behavior,
like opening attachments or visiting dangerous parts of the Internet.
Microsoft uses a combination of internally-generated metrics and
outside feedback -- including the WildList and customer comments -- to
decide which malware is added to the list targeted by the tool.
Anti-virus scan results of Microsoft's for-a-fee security service,
OneCare, and its for-free Windows Live Safety Center, said Braverman,
are taken into account, as is data from the crash analysis tool that
users can invoke when Windows dies.
While the MSFT data has been used mostly by the anti-malware team
itself to develop new tools -- such as ones to more quickly crank out
signatures for bots -- Braverman sees it as a way for Microsoft and
its partners to get a better feel for the current security situation.
"It demonstrates Microsoft's understanding of the malware landscape,"
he said even as that landscape -- and the tool itself -- change.
"We've already morphed our thinking about how to best attack malware
families," he added.
A version of the tool for Windows Vista Beta 2 will be released within
weeks, said Braverman, via Windows/Microsoft Update to help protect
users trying out the new operating system.
The newest edition of the MSFT will be released Tuesday as part of
Microsoft's monthly security update.
Copyright ? 2006 CMP Media LLC, All rights reserved.
From isn at c4i.org Tue Jun 13 08:08:27 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 13 Jun 2006 07:08:27 -0500 (CDT)
Subject: [ISN] Japanese virus shares private info
Message-ID:
http://www.smh.com.au/news/security/japanese-virus-shares-private-info/2006/06/13/1149964511797.html
The Sydney Morning Herald
June 13, 2006
A computer virus that targets the popular file-sharing program Winny
isn't the most destructive bug or even the most widespread. But it's
the most talked about in Japan as it generates headline after
headline, month after month.
The malware, called Antinny, finds random files on Winny users' PCs
and makes them available on the file-sharing network. So far, the data
leaked have been varied and plentiful: passwords for restricted areas
at airports, police investigations, customer information, sales
reports, staff lists.
The constantly updated virus seems to have spared no one airlines,
local police forces, mobile phone companies, the National Defence
Agency. Even an antivirus software manufacturer has suffered.
"The virus has been quite effective in getting information off a
user's computer and onto the Internet. The data is supposed to be
secret, so people are quite sensitive about it," said Tsukuba
University computer scientist Kazuhiko Kato.
Compared to attacks on Microsoft Corp's Windows software, the scope of
the Antinny outbreak is narrow. But the Winny mess has caused an
enormous brouhaha in Japan.
Antinny also may have the dubious distinction of being the first virus
to exploit the nature of file-sharing itself in Japan, if not in the
world, said Mamoru Saito of Telecom Information Sharing and Analysis
Centre Japan.
Other viruses and spyware are often found on such networks, though
none appears to take advantage of the underlying technology to spread
personal data.
And while Antinny's writers seem to be limiting themselves to Japanese
file-sharing software for now, he said, the code theoretically could
be modified to attack other file-sharing networks such as
Gnutella and BitTorrent.
The outbreak has triggered a broad damage-control effort by government
and businesses. They have banned Winny from in-house computers and
fired employees who use it on them. They've also demanded that staff
not take work home and delete Winny from any home PCs used for work.
"The most secure way to prevent the leakage of information is not to
use Winny on your computer," Chief Cabinet Secretary Shinzo Abe, the
government's top spokesman, told reporters.
But the outbreak shows little sign of abating.
"The problem has shown that many people just don't know how to use the
internet safely," said Takeshi Sato of the government's National
Information Security Centre.
File-sharing programs like Winny are used to find and get files from
music to video to documents from the computers of other people also
using the software. The PC owner typically has control over what is
made available by limiting sharing to a specific folder.
The virus takes advantage of this culture to propagate itself by
playing a "social" trick on users, said Telecom ISAC Japan's Saito.
When the virus is activated on a computer, it first chooses a new name
for itself by taking the names of other files users are likely to be
searching for usually photos or music. The resulting new name becomes
so long that, under normal Windows' settings, the three-letter file
extension that indicates the type of file disappears from view, he
said.
Careless users who download the file will see only the name and think
it is something they wanted say, a photo of a favorite movie star.
They don't see that they are actually trying to open an application,
not a picture.
When they do, the virus then looks on the computer for the Winny
application, grabs random files off the hard drive and uses Winny to
make those files and itself available for download on the network.
And so the cycle repeats.
New strains of Antinny appear all the time. Software maker Trend Micro
listed 46 variations of the virus in its database as of mid-May. Trend
itself lost sales data due to a Winny leak in 2005.
"Just keeping your antivirus software up to date isn't enough, because
the updates can't keep up with all the new strains of the virus," the
government's Sato said.
The government's concerns about Winny go beyond viruses. It's often
used to share files and that often means illegally exchanging
copyrighted materials.
Winny was already on the government's radar screen in November 2004,
when its creator then an instructor at the prestigious University of
Tokyo was handed a three-year suspended sentence on charges of
violating copyright laws.
But now it is confidential data rather than hit songs that have Winny
back in the spotlight.
Japan Airlines, for example, discovered last December that an
Antinny-infected computer owned by one of its co-pilots leaked
passwords for restricted areas at 16 airports around Japan as well as
Guam's international airport. The airline was forced to alert the
airports to have passwords changed as a precaution.
In early March, Japan's National Defence Agency said it lost
"confidential information" due to a Winny leak, again from an
employee's home computer. While defence officials refused to say what
data had been lost, a news report said it included reports on training
exercises conducted in Okinawa with U.S. troops in 2005.
In the aftermath of the leaks, the agency ordered employees not to use
Winny on any computers used for work. It also announced plans to
purchase 56,000 computers so employees would no longer have to use
their own equipment for work.
Schools, internet providers and electric companies are among the
others who can tell of similar losses. Making matters worse, reports
began surfacing in May that the virus was now attacking another
Japanese file-sharing application called Share (pronounced
"shah-ray"), opening the door to yet more embarrassing leaks.
The excitement being generated is all the more remarkable when one
considers the outbreak's scale.
Because Antinny needs Winny to spread, both the virus and the files it
picks up are limited to a small section of internet users anywhere
from 300,000 to 600,000 people, based on government and industry
estimates.
Government statistics show Antinny was responsible for a minuscule
fraction of the 24,155 virus outbreaks reported between November 2005
and April 2006.
"Reports of the leaks make for good drama," Tsukuba's Kato said.
"Still, they show that people need to be careful if they connect their
computers to the Internet."
The government and businesses are trying to help, with everything from
educational pamphlets and Web sites to free software that can remove
Antinny, Winny or both. But there are limits to what they can do.
"The industry is providing information about how to deal with the
problem," said Telecom ISAC-Japan's Saito. "The question is whether or
not the users do anything about it."
Copyright ? 2006. The Sydney Morning Herald.
From isn at c4i.org Wed Jun 14 04:03:36 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:03:36 -0500 (CDT)
Subject: [ISN] Computer Security Market to Grow 13%
Message-ID:
http://times.hankooki.com/lpage/biz/200606/kt2006061320215011910.htm
06-13-2006
SEOUL (Yonhap) - South Korea??s computer security market is forecast
to grow 13 percent annually over the next five years as spending on
Internet security software rises in both the public and private
sectors, a report indicated on Tuesday.
The country??s digital security market is predicted to rise to 815
billion won ($850) by 2010, and the security appliance market is
projected to post an annual growth rate of 17.6 percent, according to
the report compiled by the South Korean unit of the International Data
Corp.
IDC Korea said the country??s computer security market posted 8.5
percent growth last year reaching 443 billion won.
The security appliance sector, in particular, is expected to grow
sharply in the future, the report said. adding that more and more
public institutions and private companies in the country are trying to
keep their computer networks safe from burgeoning cyber threats.
From isn at c4i.org Wed Jun 14 04:03:05 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:03:05 -0500 (CDT)
Subject: [ISN] Hanford workers warned about security breach
Message-ID:
http://seattlepi.nwsource.com/local/273650_hanfsecurity13.html
By SHANNON DININNY
THE ASSOCIATED PRESS
June 13, 2006
The U.S. Energy Department has warned about 4,000 current and former
workers at the Hanford Nuclear Reservation that their personal
information may have been compromised, after police found a 1996 list
with workers' names and other information in a home during an
unrelated investigation.
The discovery marks the second time in less than a week that the
Energy Department has warned employees and its contractors' employees
that their personal information may have been compromised.
Police in Yakima discovered the list while investigating an unrelated
criminal matter, the Energy Department said, adding that the list
included the names of people who worked for a former Hanford
contractor, Westinghouse Hanford, who were transferring to Fluor
Hanford or companies under contract to Fluor Hanford in 1996.
The Energy Department awarded Fluor Hanford the contract to clean up
the highly contaminated nuclear site in December 1996.
The list also included workers' Social Security numbers and
birthdates, as well as work titles, assignments and telephone numbers.
The department began notifying workers about the discovery Sunday.
Employees at seven companies were warned to monitor their financial
accounts and billing statements for any suspicious activity.
There was no indication that Hanford's computer network was
compromised. The Energy Department and Fluor Hanford were working with
law enforcement officials to determine how the list was obtained and
why it was in the home, the Energy Department said in a statement
Monday.
"We, along with Fluor, are taking this very seriously," said Karen
Lutz, an Energy Department spokeswoman at the south-central Washington
site. "Obviously, there's a concern to get the word out, because so
many workers transfer to other contractors and other federal sites."
Also on Monday, Energy Department officials began contacting 1,502
individuals by phone to inform them that their Social Security numbers
and other information might have been compromised when a hacker gained
entry to a department computer system eight months ago.
The workers, mostly contract employees, worked for the National
Nuclear Security Administration, a semiautonomous agency within the
department that deals with the government's nuclear weapons programs.
The computer theft occurred last September, but Energy Secretary
Samuel Bodman and his deputy, Clay Sell, were not informed of it until
last week. It was first publicly disclosed at a congressional hearing
on Friday.
Following the Hanford report Monday, Sen. Maria Cantwell, D-Wash.,
demanded corrective actions to ensure that federal employees' personal
information remains secure.
"Today's news that the personal information of 4,000 Hanford workers
has been floating around in the open shows that we still have a long
way to go when it comes to keeping sensitive information out of the
wrong hands," Cantwell said.
Workers from the following companies were urged to check their
financial statements: Fluor Daniel Hanford, Lockheed Martin Hanford,
Rust Federal Services of Hanford, B&W Hanford, Numatec Hanford,
DynCorp Tri-Cities Services and Duke Engineering and Services Hanford.
From isn at c4i.org Wed Jun 14 04:03:21 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:03:21 -0500 (CDT)
Subject: [ISN] Elections hacks don't guard us against hackers
Message-ID:
http://www.miami.com/mld/miamiherald/14803773.htm
By FRED GRIMM
fgrimm at MiamiHerald.com
Jun. 13, 2006
For a county supervisor of elections needing someone to test the
vulnerabilities of his voting system, Dan Wallach's the man.
Wallach, who runs the security computer lab at Rice University, is a
nationally regarded expert on computer network security and voting
system vulnerabilities. He's associate director of ACCURATE (A Center
for Correct, Usable, Reliable, Auditable and Transparent Elections).
Besides, his parents live in Lauderdale-by-the-Sea.
He is a perfect choice. But not in Florida.
Wallach and his associates at ACCURATE may represent academia's
leading experts on voting system security, but under the new rules
promulgated by the Florida Secretary of State, they don't qualify.
Any security test, the secretary of state's office insists, must be
performed by someone certified by the American Software Testing
Qualifications Board, the American Society for Quality or the EC
(E-Commerce) Council.
Not only is Wallach not certified by the three organizations, ''I've
never heard of them,'' he says.
TRAINING COURSE
Actually, the first two organizations are concerned with the overall
quality of manufactured software, not security. The EC Council website
offers a five-day training course into something called ''ethical
hacking.'' Five days of training, under the new rules, would trump the
most sophisticated r?sum?s in computer science.
Computer professor David Dill, of Stanford University, who served on
California's Ad Hoc Task Force on Touch Screen Voting, and whose
degree -- not the five-day kind -- comes from MIT, added his
apprehensions to the comments on the proposed rules the Florida
Secretary of State's office collected Monday. He said they would
``would exclude the most competent evaluators, such as those who have
found most of the reported security holes in existing voting systems.
''I have checked with several computer security experts, who not only
do not have these qualifications, but, like me, have never heard of
them. A little research on the Web reveals these certifications to be
of dubious relevance to voting system evaluation,'' Dill wrote.
Other rules would require that the voting-machine vendors and the
secretary's office get advance notice of any security test. And a
supervisor of elections contemplating a security test must first take
special pains to protect the machine manufacturer's secret operating
code.
CERTIFIED HACKERS
Wallach and Dill seemed puzzled. Wallach noted that a voting machine
ought to be secure no matter who tries to hack the system. The notion
that a would-be hacker must first be properly certified and possess
special qualifications (like a five-day online course), and the
vendors need advance notice becomes utterly irrelevant in cyberspace.
''If someone is malicious and his goal is to throw the election,
they're not going to ask permission.'' Wallach said.
Of course, the new rules aren't really about protecting the integrity
of elections. Only one Florida supervisor of elections allowed outside
experts to test his voting system security. And when Ion Sancho's
hackers discovered they could alter the outcome of an election and
wipe out all trace of the tampering last year, it was a huge
embarrassment to the Secretary of State's office. Instead of trying to
fix the flaws, state officials and Diebold -- a maker of voting
machines -- went after Sancho, disparaging his findings and suggested
that he ought to be tossed from office.
Then California -- not Florida -- directed a panel of computer science
experts to look into the Leon County findings. The panel found the
same flaws and more. Florida election bureaucrats were humiliated.
''The new rules are designed to make sure that they're never
embarrassed again, '' Sancho said Monday.
Florida first priority is to protect the vendors. We'll let California
worry about the damn voters.
From isn at c4i.org Wed Jun 14 04:03:48 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:03:48 -0500 (CDT)
Subject: [ISN] KDDI suffers massive data breach
Message-ID:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001150
Martyn Williams
June 13, 2006
IDG News Service
Personal data on almost 4 million customers of Japanese telecom
carrier KDDI Corp. has been breached, the company said Tuesday.
The data includes the name, address and telephone number of 3,996,789
people who had applied for accounts with KDDI's Dion Internet provider
service up to Dec. 18, 2003, KDDI said. Additionally the gender,
birthday and e-mail addresses of some of the people was also leaked.
KDDI is Japan's second largest telecommunications carrier. It operates
fixed line, dial-up Internet, broadband and cellular services through
a number of different companies.
The carrier became aware of the leak on May 31 this year when it
received a phone call from someone claiming to possess a CD-ROM of the
data, said Yoko Watanabe, a spokeswoman for the Tokyo-based carrier.
The original source of the data has yet to be determined and Watanabe
declined to comment on other aspects of the case, which is being
investigated by the police, she said.
The leak is just the latest of several to hit the headlines in Japan
this year. Personal information has been leaked by companies a number
of times onto the Internet through viruses that infect PCs running
file sharing programs. While the source of the data lost by KDDI is
not yet clear, the episode is likely to increase fears of identity
theft and other fraud in Japan.
In recent years the number of frauds committed against consumers using
such information has been on the rise. Armed with the name and address
or telephone number of a consumer, fraudsters can send out bills or
make calls demanding payment for services that were never delivered.
The slick frauds often dupe consumers into sending money before they
realize they have been tricked.
From isn at c4i.org Wed Jun 14 04:05:40 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:05:40 -0500 (CDT)
Subject: [ISN] PCs to developing world 'fuel malware'
Message-ID:
http://www.theregister.co.uk/2006/06/13/pc_donation_peril/
By John Leyden
13th June 2006
Programs to send PCs to third world countries might inadvertently fuel
the development of malware for hire scams, an anti-virus guru warns.
Eugene Kaspersky, head of anti-virus research at Kaspersky Labs,
cautions that developing nations have become leading centres for virus
development. Sending cheap PCs to countries with active virus writing
cliques might therefore have unintended negative consequences, he
suggests.
"A particular cause for concern is programs which advocate 'cheap
computers for poor third world countries'," Kaspersky writes. "These
further encourage criminal activity on the internet. Statistics on the
number of malicious programs originating from specific countries
confirm this: the world leader in virus writing is China, followed by
Latin America, with Russia and Eastern European countries not far
behind."
But what about all the positive uses in education, for example,
possible through the use of second-hand PCs in developing nations? We
reckon these more than outweigh the possible misuse of some computers
at the fringes of such programs.
We wanted to quiz Kaspersky more closely on his comments but he wasn't
available to speak to us at the time of going to press.
A spokesman for Kaspersky Labs agreed that PC donation programs have
benefits but maintained that in countries with "fewer legitimate
openings" for work the possibility of "unintended side effects" can't
be overlooked. He said that Eugene Kaspersky's comments should be
viewed in the context of a wider discussion of criminal virus writing,
contained in an essay on the anti-virus industry here. ?
From isn at c4i.org Wed Jun 14 04:06:05 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:06:05 -0500 (CDT)
Subject: [ISN] Black Hat Speakers + 2005 Content on-line
Message-ID:
Forwarded from: Jeff Moss
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello ISN readers,
I have a brief announcement I would like to make.
The speaker selection for Black Hat USA 2006 is now complete. We have a
fantastic line up of Briefings presentations and our largest selection of
Training this year.
Briefings: http://www.blackhat.com/html/bh-usa-06/bh-usa-06-schedule.html
Training: http://www.blackhat.com/html/bh-usa-06/train-bh-usa-06-index.html
For the first time in four years, we have been able to expand our speaking
line. This is due to Caesars Palace has expanded their conference space, and
Black Hat will be getting the entire fourth floor to ourselves! This means that
for the first time in four years, we were able to expand the number of
presentation tracks, panels as well as offer more opportunities for networking
in our Human Network area.
Some notes from the schedule:
*A Root-kit focused track draws attention to the amount of work, and the speed
of advancement, going into this field.
*Ajax to Fuzzers--web app sec is taken to a new level. The largest number of
talks dealing with web application security ever delivered at a Black Hat. As
the web moves to a more interactive "web 2.0" model of participation it is only
natural for there to be more risks involved.
*A Windows Vista Security track which has been garnering a lot of press
lately... this will be an unprecedented first comprehensive look at Vista
security issues
*Jim Christie is bringing his "Meet the Fed" panel over from DEF CON, and the
Hacker Court is back along with panels on Disclosure, a Public Forum on
Corporate Spyware Threats hosted by The Center for Democracy and Technology
Anti-Spyware Coalition, and a new challenge will be presented by the Jericho
Forum.
Remember, prices increase July 1st for both the Briefings and Trainings.
Register now to get the best rates!
http://www.blackhat.com/html/bh-registration/bh-registration.html#us
Other News:
Black Hat is pleased to release the presentations from last years Black Hat
2005 Briefings in both audio and video format.
Also a first they will be available for download in both H.264 .mp4 format
(iPod compatible) as well as .mp3 audio. Currently you have to subscribe to the
Black Hat .rss feed to get them, but in the coming weeks we will make them
available through the past conventions archive page.
http://www.blackhat.com/BlackHatRSS.xml
Black Hat would like to welcome the ISSA as a world wide supporting
association. http://www.issa.org/
Thank you,
Jeff Moss
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQEVAwUBRI9L4kqsDNqTZ/G1AQKjlQgAnLKMSLL6Uc4BznLQ+sGkCf+v4kBXmSR2
ogJYZ8eciZxwJMrAFGhXGhJOHGQJxp2U/HEnISNhg+3W6TGhyl9rVO62z+2aBSfw
bvb+RSWWgMitiQqZcsRO8LkPorJlnpHSLzNxpH1GaVLFyJ17YwSCm1a/n2QPv+Pq
4nlC3KLKwgmFXY6uAkg95InvOeLly5uIelAGEllzIZ676A4fp5VMBeXtT/PDJwbs
49nZE8IPmxFPL1d9V47eWmjNpqMZBtNHuTaEhBhpWc1YbY0oE7Txv0EFWY2HGBLZ
S4XnlJCO9rbD1y0fbd1qof3BKVGW/nXaBG9SBOnctbFSDeyEVUTD3w==
=++JQ
-----END PGP SIGNATURE-----
From isn at c4i.org Wed Jun 14 04:04:58 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:04:58 -0500 (CDT)
Subject: [ISN] ...and now a word from one of our long time sponsors
Message-ID:
http://attrition.org/news/content/06-06-13.001.html
Cliff Notes: If you drink Coca-Cola products, email the 'coke reward'
code to cokerewards at attrition.org to support a bunch of wack job
heathens
How many times have you thought, "If everyone sent me one penny, i'd
be rich!?" In the case of attrition staff, maybe you thought "If
everyone sent me one beer, i'd need a new liver in three months!"
Attrition has been going strong for almost eight years now. In that
time we haven't plagued the site with ad banners, pop-ups, or even the
cute little google ad-words. We've accepted PayPal donations for
several years and raked in a whopping 250 bucks (which we are honestly
very thankful for). Our Amazon wishlists are never used, half the mail
we get is mindless drivel complaining about insipid crap that is
usually answered by actually reading the web pages. The box has been
fully replaced two times due to hardware problems, payments are
routinely made to our landlord for the bandwidth abuse and to keep him
too drunk to find our power plug. In short, this isn't a site based
around profit or self reward. We're more like those monks that inflict
self pain thinking it brings them closer to a higher power. Misguided,
pain-ridden, stupid monks.
Since we've long been fans of the sci-fi idea of 'micro payments', and
no system is in place for such a beast to really work, we've come up
with one. Now you too can actually support the site without sending us
money or hate mail. Chances are, you are a cracked-out coke fiend like
most of us. I prefer the hard-core street drug they call "Coke Zero"
these days, moving on from the weak suburban "Diet Coke" or that
old-folks home "Caffeine Free Diet Coke" that Munge sips on between
shots of Everclear. If you support Coca-Cola like a true patriot, and
not those Pepsi jerks like a terrorist would, then you are in the
perfect position to contribute.
Coca-Cola is running a promotion where you receive a code for each
purchase you make. With those codes, you register on one of their web
sites and type in the codes to earn points. Enough points and you can
earn various prizes, most of which are not worth the time to read
about on the web site. If you click around enough, you get to the
distant "10,000+ Points" reward list, and things become brighter. In
this "pipe dream" category is a pretty swell Sony LCD HDTV that would
be a nice reward for the pain and suffering we're put through.
So, next time you are getting your fix, take a few seconds to type in
the coke code and mail it to us. Only takes a minute of your time and
you can spend the rest of the day bragging about how you supported a
non-profit site on the intarweb. The codes can be found inside the
bottle caps of 2 liter, 1 liter or 20oz bottles, or in the tear off
flap of 12-pack cases. They can be found in just about every variety
of Coca-Cola products and look something like BNMW7 Y49XR 4X7VJ.
This is it net denizens. Some 100,000,000 of you out there, and all it
takes is 2,000 of you to mail in the code from a single 12-pack to
reach our goal. You would be showing a small token of appreciation for
eight years of hard work and it doesn't even require a visit to the
post office. If you send in 100 points worth of codes (ten cases, or
33 bottles), we'll hook you up with private access to the old image
gallery we used to make available (shut down long ago due to bandwidth
abuse), which is up to 5,263 unique images of all varieties, and zero
advertisements.
That's it, simple and possibly rewarding. cokerewards at attrition.org
Cut this out and post it at your work lounge!
.------------------------------.
| |
| E-mail Coca-Cola Reward Code |
| to the heathens at |
| cokerewards at attrition.org |
| |
`------------------------------'
From isn at c4i.org Wed Jun 14 04:05:27 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 14 Jun 2006 03:05:27 -0500 (CDT)
Subject: [ISN] ADSM endorses XBRL technology
Message-ID:
http://www.itp.net/business/news/details.php?id=21007
By David Ingham
13 June 2006
Abu Dhabi Securities Market (ADSM) has recently taken further steps to
boost market transparency and improve its information technology
systems. ADSM has declared its aim to become ISO 17799 compliant and
has thrown its weight behind the XBRL information reporting standard.
EXtensible business reporting language (XBRL) enables computer-readable
tags to be applied to individual items of financial data in business
reports. This helps to turn them from blocks of text into information
that can be understood and processed by computer software.
"XBRL complements ADSM's programme to adopt international best
practise standards of regulation and governance throughout the UAE
markets," said Rashed Al Baloushi, acting director general of ADSM.
"It will give investors better access to a company's financial
information, allowing them to make more informed decisions.
"Furthermore, analysts will be able to compare detailed data more
efficiently and with increased accuracy. Under the current system, it
can be difficult to benchmark data efficiently." ADSM said it will
encourage all listed companies to adopt the technology, which it says
can reduce data processing costs in addition to improving
transparency.
It has already held one educational seminar, which was attended by
listed UAE companies and representatives from other markets in the
region.
Separately, ADSM has said that it plans to become the first UAE bourse
to achieve ISO 17799 certification. ISO 17799 is a set of procedures
designed to help companies improve their level of information
security. It covers ten aspects of e-security, including policies &
procedures, access control and business continuity. Company and
Cybertrust have been appointed to help ADSM benchmark its systems
against the ISO 17799 requirements.
"Since ADSM was established, we have been constantly reviewing and
updating our security systems in line with our growth," said Khalfan
Al Mazrouei, IT manager of ADSM.
"But, in order to bring our systems up to an international standards
we need ISO 17799 certification."
From isn at c4i.org Thu Jun 15 02:24:27 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:24:27 -0500 (CDT)
Subject: [ISN] Stolen computer server sparks ID theft fears
Message-ID:
http://msnbc.msn.com/id/13327187/
By Jim Popkin, Tim Sandler & the NBC Investigative Unit
NBC News
June 14, 2006
WASHINGTON - A thief recently stole a computer server belonging to a
major U.S. insurance company, and company officials now fear that the
personal data of nearly 1 million people could be at risk, insurance
industry sources tell NBC News.
The computer server contains personal electronic data for 930,000
Americans, including names, Social Security numbers and tens of
thousands of medical records. The server was stolen on March 31, along
with a camcorder and other office equipment, during a break-in at a
Midwest office of American Insurance Group (AIG), company officials
confirm.
An AIG spokesman says that there's no evidence that the thief has
accessed the personal data on the server or used it for any illicit
purpose. The server is password protected, the AIG spokesman adds.
The server contains detailed personal data from 930,000 prospective
AIG customers, whose information had been forwarded to the insurance
firm from 690 insurance brokers around the country. The potential
customers' employers were shopping with AIG for rates for excess
medical coverage, the spokesman says, when they forwarded the personal
data to AIG.
AIG has not yet notified any of the people whose personal data are on
the stolen server. AIG security officials have been conducting a
forensic analysis of the theft, and warned the 690 insurance brokers
of the problem on May 26.
The AIG spokesman tells NBC: "There is no indication that the thieves
were seeking data, rather than valuable hardware....To date, we are
unaware of any of this information being compromised."
In a police report on the incident, officers in the Midwestern city
state that the stolen server was worth $10,000. The police write that
the thief "came through the ceiling, going into their [AIG's] server
room." NBC News is not identifying the city at the company's request,
so as to not tip off the thief who may not realize he/she has valuable
personal information.
AIG describes itself as "the leading international insurance
organization with operations in more than 130 countries and
jurisdictions."
Ironically, an AIG member company announced earlier this year that it
now offers identity-theft insurance coverage.
? 2006 MSNBC Interactive
From isn at c4i.org Thu Jun 15 02:24:48 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:24:48 -0500 (CDT)
Subject: [ISN] Intelligence can be pretty dumb
Message-ID:
http://www.theinquirer.net/?article=32411
By Nick Booth
14 June 2006
SECURITY FIRMS must be ruthlessly cunning and intelligent to stay
ahead of the fiendish legions of hackers, crackers and cunning con
artists they constantly warn us about.
Or so you'd think.
But not if this recent example of 'intelligence' is typical.
All companies keep tabs on the opposition. Usually, they employ
competitive intelligence companies, who use all kinds of dirty tricks
to find out about rival's products, their marketing strategies and the
incentives offered to resellers.
A typically fiendish scam would be to set up a phoney head hunting
agency, then invite everyone that matters, at the target firm, for an
"off the record" interview. Flattered by the attention, most CTOs and
marketing directors are only too pleased to boast of the projects
they're working on, the budgets they're in charge of and how many
people are under them.
This information is all tabulated, and sold for hundreds of thousands
of dollars, to the client. Clients like to outsource this furtive
behaviour so they can distance themselves from it if they get caught.
Very cunning. Some security firms are slightly less sophisticated, it
seems.
When security vendor Countersnipe launched its latest product, it
expected a few bogus enquiries from its rivals. But a request from an
outfit calling themselves Ychange seemed genuine enough.
'Jeff' from Ychange saw a demo and was so impressed he promised to
show the product to Superluminal, his financial services client, which
was just gagging to place a multi-million dollar order.
But a quick Whois check revealed that Superluminal's web site was
owned by one of Countersnipe's rivals, Sourcefire. Perhaps Sourcefire
didn't think anyone else would know about this new-fangled Internet
thing.
"This has to be the least sophisticated attempt at spying I've ever
seen," laughed Countersnipe's Amar Rathore, "I wouldn't mind, but
they're a security firm, for God's sake. You'd think they'd know some
cleverer tricks than that."
Sourcefire was unavailable for comment. ?
From isn at c4i.org Thu Jun 15 02:25:24 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:25:24 -0500 (CDT)
Subject: [ISN] Spam Is Good for Antispam Vendors
Message-ID:
====================
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
St. Bernard Software
http://list.windowsitpro.com/t?ctl=2E774:4FB69
Patchlink
http://list.windowsitpro.com/t?ctl=2E786:4FB69
CrossTec
http://list.windowsitpro.com/t?ctl=2E76E:4FB69
====================
1. In Focus: Spam Is Good for Antispam Vendors
2. Security News and Features
- Recent Security Vulnerabilities
- Microsoft Releases Rebranded Antigen Products
- 180solutions Merges with Hotbar, Renames Company Zango
- Two-Factor Authentication Tokens
3. Security Toolkit
- Security Matters Blog
- FAQ
- Share Your Security Tips
4. New and Improved
- Host-Based IPS Monitors Application Behavior
====================
==== Sponsor: St. Bernard Software ====
Get the #1 Ranked Internet Filtering Appliance Free
iPrism, ranked #1 by IDC, gives you comprehensive protection from
Web-based threats at the perimeter - spyware, IM and P2P are stopped
before they can invade your networks. Now, get the appliance at no
charge when you purchase a multi-year subscription. This is a limited-
time offer, so get a Quick Quote today.
http://list.windowsitpro.com/t?ctl=2E774:4FB69
====================
==== 1. In Focus: Spam Is Good for Antispam Vendors ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Last week, I wrote about Okopipi--the current successor to Blue
Security's Blue Frog antispam service. In closing that article, I
described a dream situation in which Microsoft philanthropically backs
the Okopipi project and bundles the antispam solution with every copy
of Windows. This week, I'll point out some statistics and financial
figures that show why I think that dream will never become a reality--
not with Microsoft or any other major antispam-solution provider.
First, let's look at the cost of spam for businesses: In February 2005,
Ferris Research said, "Lost productivity and other expenses associated
with spam will cost US businesses $17 billion in 2005.... Worldwide
costs could reach $50 billion, primarily because of lost employee
productivity. Not included in these figures are immeasurable items,
such as the missed opportunity cost of a new customer order that's
incorrectly discarded as spam." That's a lot of incentive for
businesses to implement antispam solutions.
http://list.windowsitpro.com/t?ctl=2E77B:4FB69
Next, let's look at antispam-solution revenue figures: Also in February
2005, IDC predicted that "...worldwide revenue for antispam solutions
will exceed $1.7 billion in 2008, far surpassing the $300 million
generated in 2003.... [The] development of spam from a mere nuisance to
an increasingly serious problem [is] the driver for explosive revenue
growth, innovation, and investment in the antispam market. The
worldwide revenue for antispam solutions will experience a compound
annual growth rate (CAGR) of 42% through 2008."
http://list.windowsitpro.com/t?ctl=2E77A:4FB69
Now let's look at email usage and spam volume growth: In January 2006,
the Radicati Group estimated that there were more than 1.2 billion
active email accounts. Worldwide email traffic per day was about 135
billion messages, of which 67 percent were spam. Then in May 2006,
Radicati estimated that there were nearly 1.4 billion active email
accounts and worldwide email traffic per day of about 171 billion
messages, of which 71 percent were spam.
http://list.windowsitpro.com/t?ctl=2E771:4FB69
http://list.windowsitpro.com/t?ctl=2E775:4FB69
Summarizing Radicati's data, the number of mailboxes increased by 200
million, the volume of email traffic increased by 36 million messages,
and the volume of spam increased by 31 million messages--all in less
than half a year! The increases represent a tremendous gain in
potential customers for antispam vendors, which of course can readily
equate to huge increases in revenue.
The spam problem has given birth to a billion-dollar market for
antispam-solution providers. If we keep in mind that most companies
exist for the primary purpose of generating income for their owners and
investors, then we can easily see that no current antispam vendor has
the impetus to stamp out spam because doing so would run counter to its
fiduciary responsibility.
Therefore, the Okopipi project will probably not be seen in a good
light by any antispam-solution provider, except of course one that
finds a way to profit from the ultimate antispam solution of stamping
out spam completely.
====================
==== Sponsor: PatchLink ====
Does your patch management solution automatically track and re-deploy
to ensure network security?
20% of patches unknowingly become un-patched. Learn more about
automating the analysis, distribution and tracking of security patches
using PatchLink's security patch & vulnerability management solution --
the world's largest repository of tested patches. Request a free trial
disk.
http://list.windowsitpro.com/t?ctl=2E786:4FB69
====================
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=2E773:4FB69
Microsoft Releases Rebranded Antigen Products
Microsoft announced the first release of its rebranded Antigen
antivirus and antispam products for email systems. Microsoft acquired
the Antigen product line with the 2005 purchase of Sybari Software.
Read more about the Microsoft versions at
http://list.windowsitpro.com/t?ctl=2E77E:4FB69
180solutions Merges with Hotbar, Renames Company Zango
The often scrutinized adware company 180solutions announced that
effective immediately it will merge with Hotbar and rename the newly
combined entity Zango.
http://list.windowsitpro.com/t?ctl=2E77F:4FB69
Two-Factor Authentication Tokens
Two-factor authentication offers stronger security and easier access
than having to remember numerous passwords. Our buyer's guide helps you
find the right two-factor solution to fit your needs.
http://list.windowsitpro.com/t?ctl=2E77C:4FB69
====================
==== Resources and Events ====
Win a new iPod (for Mac or PC)
Download a Windows IT Pro podcast on Windows IT Pro Radio by your
favorite author, editor, or industry figure. You'll automatically be
entered to win!
http://list.windowsitpro.com/t?ctl=2E787:4FB69
Maximize your VoIP environment by integrating FoIP technology to
increase ROI and streamline processes.
http://list.windowsitpro.com/t?ctl=2E772:4FB69
Attend Black Hat 2006 in Las Vegas July 29 - August 3; 2,500+
international security experts, 10 tracks, no vendor sales pitches.
http://list.windowsitpro.com/t?ctl=2E78A:4FB69
Pop Quiz! Can you pass the Windows Server High Availability Challenge?
Find out, and you could win a Video iPod.
http://list.windowsitpro.com/t?ctl=2E784:4FB69
How will compliance regulations affect your IT infrastructure? Help
design your retention and retrieval, privacy, and security policies to
make sure that your organization is compliant. Download the full ebook
today!
http://list.windowsitpro.com/t?ctl=2E770:4FB69
Attend TechDays 2006--two days of technical training for IT
Professionals on Microsoft and Cisco Technologies, Fri. 6/23 and Sat.
6/24 from 9am-4pm (both days). Located at Diablo Valley College,
Pleasant Hill, CA. Price is $1299. Your cost is $299 and includes
lunch, drink, snacks and all the information your mind can hold! Enter
code PENTON when you register at
http://list.windowsitpro.com/t?ctl=2E783:4FB69
====================
==== Featured White Paper ====
Extend Windows Rights Management Services (RMS) to support enterprise
requirements for protecting information, including proprietary business
data.
http://list.windowsitpro.com/t?ctl=2E76F:4FB69
Bonus: When you download any white paper from Windows IT Pro before
June 30, you'll be entered to win Bose Triport Headphones. See the full
selection today at http://list.windowsitpro.com/t?ctl=2E785:4FB69
====================
==== Hot Spot ====
Spending too much time monitoring security alerts?
New Activeworx Security Center v3 collects event logs from all of
your various security devices (Firewalls, AV, IDS, etc) to provide a
single dashboard view. ASC includes real-time correlation and analysis,
alerts, built-in compliance reports and deep forensics. Free white
paper, webinar and evals available.
http://list.windowsitpro.com/t?ctl=2E76E:4FB69
====================
==== 3. Security Toolkit ====
Security Matters Blog: Windows Genuine Advantage, Phone Home
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2E782:4FB69
We should have known: Microsoft's Windows Genuine Advantage tool phones
home daily, and that fact isn't disclosed in the End User License
Agreement (EULA). Find out more in this blog article on our Web site.
http://list.windowsitpro.com/t?ctl=2E780:4FB69
FAQ
by John Savill, http://list.windowsitpro.com/t?ctl=2E781:4FB69
Q: How do I enable logging of file screen violations?
Find the answer at http://list.windowsitpro.com/t?ctl=2E77D:4FB69
Share Your Security Tips and Get $100
Share your security-related tips, comments, or problems and
solutions in the Windows IT Security print newsletter's
Reader to Reader column. Email your contributions to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
====================
==== Announcements ====
(from Windows IT Pro and its partners)
Summer Special--Save 58% off Windows IT Pro
Subscribe to Windows IT Pro today and SAVE 58%! Along with your 12
issues, you'll get FREE access to the entire Windows IT Pro online
article archive, which houses more than 9,000 helpful articles. This is
a limited-time offer, so order now:
http://list.windowsitpro.com/t?ctl=2E777:4FB69
June Special--Save $80 off the Windows IT Security newsletter
Get endless solutions for building and maintaining a secure
enterprise. Subscribe to the Windows IT Security newsletter today and
save $80:
http://list.windowsitpro.com/t?ctl=2E778:4FB69
====================
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Host-Based IPS Monitors Application Behavior
S.N. Safe & Software recently released the Safe'n'Sec host-based
intrusion prevention system (IPS). Safe'n'Sec intercepts application
calls at the OS level, granting or denying system access to an app
based on a variety of criteria, such as the app's hard disk location,
the existence of a digital signature for the app, and whether the app
is on a list of core "safe" applications. Safe'n'Sec vets periodic
updates to core apps, and Safe'n'Sec users can define policies to
govern the behavior of apps. The version for small to midsized
businesses (SMBs), Safe'n'Sec Business, offers antivirus and
antispyware protection and centralized remote and corporate network
administration. For more information, go to
http://list.windowsitpro.com/t?ctl=2E789:4FB69
Tell Us About a Hot Product and Get a Best Buy Gift Card!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Best Buy Gift Card if we write about the product in a
Windows IT Pro What's Hot column. Send your product suggestion with
information about how the product has helped you to
whatshot at windowsitpro.com.
====================
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=2E788:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
====================
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
http://list.windowsitpro.com/t?ctl=2E779:4FB69
View the Windows IT Pro privacy policy at
http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2006, Penton Media, Inc. All rights reserved.
From isn at c4i.org Thu Jun 15 02:25:42 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:25:42 -0500 (CDT)
Subject: [ISN] Hacker disrupts state disaster site
Message-ID:
http://www.tallahassee.com/apps/pbcs.dll/article?AID=/20060614/NEWS01/606140312
By Stephen D. Price
CAPITOL BUREAU
June 14, 2006
As Tropical Storm Alberto barreled toward Florida, a computer hacker
disrupted public access to the state's emergency Web site for about 20
minutes Tuesday morning, but the glitch did not affect emergency
workers, officials said.
The Web site, www.floridadisaster.org, is set up by the Division of
Emergency Management and allows Floridians to access information about
emergency situations.
The problem delayed a briefing by emergency workers.
"Someone intentionally did this," said Carla Boyce, plans chief for
the Division of Services Management. "Loopholes get discovered and
hackers take advantage of them."
The Florida Department of Law Enforcement is investigating the
incident.
At 7:30 Tuesday morning, emergency workers noticed the site showed
error messages, said David Halstead, State Emergency Response Team
chief. He said a similar problem happened a week ago.
"It takes someone with good computer skills to do this," Halstead
said.
Boyce said workers are reviewing logs and network tools for clues to
learn who did the hacking and from where. The problem was fixed, and
extra precautions are being taken so it doesn't happen again, she
said.
From isn at c4i.org Thu Jun 15 02:26:09 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:26:09 -0500 (CDT)
Subject: [ISN] VA IT security gaps extend to contractors
Message-ID:
http://www.gcn.com/online/vol1_no1/41035-1.html
By Mary Mosquera
GCN Staff
06/14/06
The Veterans Affairs Department said today that it has been
investigating allegations that an offshore medical transcription
subcontractor last year threatened to expose 30,000 veterans'
electronic health records on the Internet in a payment dispute with a
VA contractor.
The VA assistant inspector general referred to the investigation
during questioning in a congressional hearing on VA's data security
environment in the wake of the theft of sensitive data of 26.5 million
veterans, active duty military and reserves officers.
The medical transcription incident highlights how gaps in information
security also extend to contractors, said Michael Staley, VA's
assistant inspector general for auditing. Some VA medical
transcription contractors have used offshore subcontractors in India
and Pakistan without VA's approval and without adequate controls to
ensure veterans' health information was secure under the Health
Insurance Portability and Accountability Act, according to an audit
released today.
"Contracts do not specify criteria for how to protect information,"
Staley told the House Veterans Affairs Committee.
Staley enumerated audits of information management security under the
Federal Information Security Management Act, the Consolidated
Financial Statement and Combined Assessment Program that revealed
significant vulnerabilities. These include VA not controlling and
monitoring employee access, not restricting users to only the data
they need and not terminating accounts of departing employees in a
timely manner.
In last year's FISMA review, the IG provided 16 recommendations,
including addressing security vulnerabilities of unauthorized access
and misuse of sensitive information and data throughout VA
demonstrated during its field testing. All 16 recommendations remain
open, he said.
Audits also found instances where out-based employees send veterans'
medical information to the VA regional office through unencrypted
e-mail; monitoring remote network access and usage does not routinely
occur; and off-duty users' access to VA computer systems and sensitive
information is not restricted.
"VA has implemented some recommendations for specific locations
identified but has not made corrections VA-wide," he said.
From fiscal years 2000 to 2005, the IG identified IT and security
deficiencies in 141, or 78 percent, of 181 Veterans Health
Administration facilities reviewed, and 37, or 67 percent, of the 55
Veterans Benefits Administration facilities reviewed.
"We recommended that VA pursue a more centralized approach, apply
appropriate resources and establish a clear chain of command and
accountability structure to implement and enforce IT internal
controls," Staley said.
The underlying situation is the VA's department CIO does not have
authority to enforce compliance with data security and information
management and recommendations from GAO, said Veterans Affairs
Committee chairman Steve Buyer (R-Ind.).
Buyer traced problems in security enforcement to a memo dated April
2004 from the general counsel that said the department CIO did not
have enforcement authority.
The CIO, undersecretaries who lead VA's benefits, health and burial
administrations, and the VA secretary share responsibility for
enforcement, said Gregory Wilshusen, director of information security
issues for the Government Accountability Office.
"Information security is a governmentwide problem, and we have talked
with OMB about that," said Linda Koontz, director of GAO's information
management issues.
Buyer expressed frustration that there are no consequences for
"recalcitrant" agencies that do not correct problems that GAO has
repeatedly highlighted. He cited the Privacy Act, which has been
strengthened with consequences.
"If you have a bureaucracy so strong in the department that the
secretary or political bodies are unable to act, don't you think the
president or vice president or OMB needs to know that because there
are monetary consequences behind that inaction? I'm bothered that GAO
doesn't have the higher authority to which they can turn," Buyer said
after the hearing.
After several more hearings this month, Buyer and his committee will
make recommendations or craft legislation. He suggested that Congress
consider looking at strengthening FISMA.
"We can even come up with that in our language, but we're not going to
have jurisdiction over that. We'll have to work with Mr. Davis [House
Government Reform Committee chairman Tom Davis (R-Va.)] and his
committee. I'd be more than happy to do that," he said.
From isn at c4i.org Thu Jun 15 02:26:36 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:26:36 -0500 (CDT)
Subject: [ISN] FBI loses 400 pieces of equipment
Message-ID:
http://www.upi.com/SecurityTerrorism/view.php?StoryID=20060614-024108-3918r
6/14/2006
WASHINGTON, June 14 (UPI) -- The U.S. FBI may have lost 400 pieces of
equipment, National Journal's Technology Daily reported Monday.
The Federal Bureau of Investigation still has not told the Government
Accountability Office what has happened to hundreds of pieces of
equipment that were supposed to be part of a failed department-wide
case-management system.
"The FBI also has not provided any additional explanation for the
remaining roughly 400 missing assets," Linda Calbom, the GAO's
director of financial management and assurance wrote in a letter.
The letter, dated Friday, was addressed to Senate Judiciary Committee
Chairman Arlen Specter, R-Pa., and addressed many of the follow-up
questions that the committee had for GAO. The GAO released a report in
May detailing the flaws in the FBI's Trilogy system, Technology Daily
said.
It reported that the FBI could not locate more than 1,200 pieces of
equipment, valued at about $7.6 million. The FBI responded by saying
that it had accounted for 800 of those items, but GAO could not verify
that claim, Calbom wrote, the report said.
? Copyright 2006 United Press International, Inc. All Rights Reserved
From isn at c4i.org Thu Jun 15 02:27:08 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:27:08 -0500 (CDT)
Subject: [ISN] Money lost to cybercrime down--again
Message-ID:
http://news.com.com/2100-7349_3-6083860.html
By Joris Evers
Staff Writer, CNET News.com
June 14, 2006
SCOTTSDALE, Ariz.--While many headlines spell doom and gloom when it
comes to computer-related misdeeds, the average losses at businesses
due to cybercrime continue to drop, according to a new survey.
For the fourth straight year, the financial losses incurred by
businesses due to incidents such as computer break-ins have fallen,
according to the 2006 annual survey by the Computer Security Institute
and the FBI. Robert Richardson, editorial director at the CSI,
discussed the survey's findings in a presentation at the CSI NetSec
conference here Wednesday.
Respondents in the 2005 survey reported an average of $204,000 in
cybercrime losses, Richardson said. This year, that's down to
$168,000, about an 18 percent drop, he added. Compared with 2004, the
average loss is down 68 percent.
"How do you go about reconciling the sense of things getting worse
with the respondents who are saying they are losing less money?"
Richardson asked. The 2006 survey, a final version of which is slated
to be released next month, could provide some answers.
Most important, perhaps, the 615 U.S. CSI members who responded to
this year's survey reported fewer security incidents. Viruses, laptop
theft and insider abuse of Net access are still the most reported
threats, but all have decreased compared with last year.
"The danger of insiders may be somewhat overstated, according to the
survey group," Richardson said. About a third of respondents said they
had no losses at all due to insider threats, another 29 percent said
less than one-fifth of overall losses came from insider threats.
Consistent use of security technology may also contribute to the
improvements, with essentially all of the respondents stating that
they use firewall and antivirus software, not much of a change from
last year. This year, eight out of 10 said they also use spyware
protection, a category not listed a year ago.
"Overall, you have a picture that is pretty good in many ways,"
Richardson said. "We're seeing fewer of some of the attacks that have
been such a plague for us in many years, and respondents are using
less and less money."
That "less money" may be good for companies, but not for security
vendors. It refers to the percentage of IT budgets spent on security.
In the 2006 survey, nearly half of the respondents said less than 2
percent of the budget is spent on security. Last year that percentage
was 35 percent.
When it comes to cybercrime losses, consumers might be bearing the
brunt of them, and they are not covered by the survey, Richardson
suggested. "Consumers are the low-hanging fruit," he said. Costs
related to identity theft, for example, fall largely back onto the
consumer, he added, even if it did start with a data breach at an
enterprise.
Copyright ?1995-2006 CNET Networks, Inc. All rights reserved.
From isn at c4i.org Thu Jun 15 02:27:36 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 15 Jun 2006 01:27:36 -0500 (CDT)
Subject: [ISN] Exploits for Microsoft flaws circulating
Message-ID:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001182
By Jaikumar Vijayan
Computerworld
June 14, 2006
Security firms are warning about the availability of attack code
targeting some of the flaws for which Microsoft Corp. released patches
yesterday (see "Microsoft releases fixes for 21 vulnerabilities" [1]).
Most of the exploits target flaws that were previously known but for
which patches became available only as part of Microsoft's June
monthly security update. But at least two publicly available exploits
are directed at newly disclosed flaws in the company's products.
"Exploit code had already existed for three of the vulnerabilities
prior to yesterday, as they were already public issues," said Michael
Sutton, director of VeriSign Inc.'s iDefense Labs. "Beyond that, we're
seeing public exploit code emerge for some of the new vulnerabilities
and are hearing rumors of private code existing for others."
The availability of such exploits heightens the risk for companies
that have not yet been able to patch their systems and are important
factors to consider when deciding which systems to patch first, he
said.
"We believe that it is far more beneficial to withhold
proof-of-concept code for an amount of time so that customers can get
the vulnerabilities patched," said Stephen Toulouse, security program
manager at Microsoft's security response center. "The public
broadcasting of code so quickly after a bulletin release, we believe,
tends to help attackers."
Microsoft is telling its cusomers to pay special attention to three
key updates -- MS06-021, MS06-022 and MS06-023 -- because they could
be particularly easy to exploit using Internet Explorer. "There are
methods by which if you just browse to a Web site, there could be code
execution," Toulouse said.
According to iDefense, some form of exploit code is publicly available
against the cross-domain information disclosure vulnerability
described in bulletins MS06-021, the address bar spoofing flaw in
MS06-021 and the Word malformed object pointer vulnerability described
in MS06-027.
All three were previously known flaws and were given a severity rating
of "critical" by Microsoft.
In addition, exploits have also become publicly available for both of
the newly disclosed server message block vulnerabilities in MS06-030,
according to iDefense.
The SANS Internet Storm Center this morning posted a note also listing
exploits released by penetration-testing vendors to customers. One of
the exploits was directed against the Windows Media Player flaw in
MS06-024, while the other was targeted at the routing and
remote-access vulnerability in MS06-025.
Denial-of-service attack codes are also privately available for a
TCP/IP flaw in MS06-032, according to SANS.
Outside of the Word malware, which began circulating last month,
Microsoft has not yet seen any of these exploits used by attackers,
Toulouse said.
The availability of exploit code once again shows that there is no
longer any "patching window" for companies, said Johannes Ullrich,
chief research officer at the Internet Storm Center.
"Companies don't have the luxury of sitting back and waiting," Ullrich
said. "They have to expect that public exploits will become available
the day after vulnerabilities are disclosed, and they have to expedite
the patching process," despite the challenges involved, he said.
Robert McMillan of the IDG News service contributed to this report.
[1] http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001163
From isn at c4i.org Fri Jun 16 04:28:56 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 16 Jun 2006 03:28:56 -0500 (CDT)
Subject: [ISN] NBA investigates security breach
Message-ID:
http://www.palmbeachpost.com/heat/content/sports/epaper/2006/06/15/a8c_mavsnotes_0615.html
By Tom D'Angelo
Palm Beach Post Staff Writer
June 15, 2006
MIAMI - NBA security continues to investigate a breach that allowed
two women who were unauthorized to enter the Dallas Mavericks' locker
room following Miami's Game 3 victory and wander into the showers.
Dallas forward Josh Howard chased the women out of the showers. They
then were escorted out of the building. No arrests were made.
"We're continuing to review the situation but we will certainly have
enhanced security for the remaining games of the series," NBA
spokesperson Tim Frank said.
Some Mavericks players believe the women took pictures with camera
phones before the phones were confiscated. The NBA would not comment
on the possibility that pictures were taken.
"There have been situations in the NBA where things happen, but that
might be the wildest situation that I have ever seen," Mavericks guard
Darrell Armstrong said. "I have never seen that before."
[...]
From isn at c4i.org Fri Jun 16 04:29:12 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 16 Jun 2006 03:29:12 -0500 (CDT)
Subject: [ISN] ...and now a word from one of our sponsors II
Message-ID:
http://attrition.org/news/content/06-06-15.001.html
After a frustrating day at the coke web site (mycokerewards.com which
leads to another server/domain), I finally got all the FAQs and rules
to load. Frustrating because the site is poorly written, the pages
randomly 404, inputing codez or entering the daily contests error out
frequently. Add to that the codes are not always 100% legible on the
bottles and boxes.
Anyway, after a little math, I see that this loyalty reward program is
a complete scam! Here are a few key rules:
http://mcr.us.icoke.com/rules.do
1. The Program begins at 12:00 p.m. Eastern Time (ET) on February
27, 2006 and is scheduled to end at 12:00 p.m. ET on January 15, 2007
The Website will indicate whether there is an active Double Points
period in effect.
3. Codes can only be used 1 time. Limit: 10 valid codes per
Account, per day (12:00 p.m. ET through 11:59 a.m. ET). However,
if an Enrollee enters 20 invalid codes before entering 10 valid
codes, Enrollee will be unable to enter any more codes for that day.
Enrollees may not combine codes obtained by others for deposit into
a single Enrollees account, nor transfer, sell, or otherwise
dispose of codes in any manner in violation or attempted subversion
of these Terms and Conditions. Any attempt to combine or transfer
codes or points will result in disqualification from the Program
and forfeiture of all points in any Enrollees Account.
9. Enrollees must save the bottle cap, product packaging, and/or
promotional item with official code for at least 90 days after the
date Enrollee redeems an item online, as it may be necessary to
submit it later for verification.
3. The Program is provided to individuals only. Corporations,
associations or other groups may not participate in the Program.
Cliff notes: You alone, not a group/company/assocation must enter the
contest. You have 322 days to input codes, but only 10 codes a day.
That is 100 points a day max, for 32,220 points total. So the 20,000
point TV and the rewards for 24,000+ seem feasible. Until you see that
you can't combine codes from other people, and must keep the physical
cap/box with the code for 90 days after prize redemption.
In short, they think that a single person can purchase and presumably
consume *2,000* cases of coke in 322 days? If you can drink 74.5 cans
of coke per day, every day, for the entire duration of the contest,
then you have a chance of getting that prize.
Does Coca-cola realize it has implemented a loyalty program that baits
people into participating, but won't actually give out the rewards
because it isn't possible as outlined in the rules? Is this a cheap
gimmick or corporate oversight? I'd like to find out. I'm still aiming
to get codes from the masses.. but now, instead of a nice TV as a
generous reward for eight years of indentured servitude, it is likely
going to be a chance to write a scathing article about corporate lies
and the reality of such loyalty reward programs. If I get 20,000
points (which is only now possible if they carry through with the
'double point' days), will they actually part with said TV? Let's find
out.
From isn at c4i.org Fri Jun 16 04:29:32 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 16 Jun 2006 03:29:32 -0500 (CDT)
Subject: [ISN] Microsoft Has a Big Date Set with 'Black Hat ' Hackers
Message-ID:
http://www.eweek.com/article2/0,1759,1976171,00.asp
By Ryan Naraine
June 13, 2006
Microsoft's Windows Vista has a date with some of the world's smartest
hackers.
The software maker will use the spotlight of the Black Hat security
conference in August to show off some of the key security features and
functionality being fitted into Vista.
Microsoft's appearance on the Black Hat stage is a first on many
fronts. Microsoft will be the first software vendor to present an
entire Black Hat Briefing track on a pre-release product. It is also
the first time a representative from Redmond Wash., will make an
official presentation at the controversial hacker confab.
According to Microsoft program manager Stephen Toulouse, the idea is
to provide "deeply technical presentations" on Vista security to the
hacking community. "We submitted several presentations to the Black
Hat event organizers and, based on the technical merit and interest to
the audience, they were accepted," Toulouse said.
In total, the day-long track will include five presentations from
Microsoft security engineers and Toulouse said researchers and
architects from Redmond will also be actively participating in the
event. "We want to make sure we're gathering as much feedback as we
can, so that Windows Vista succeeds as the most secure version of
Windows ever released," he added.
The sessions will include a talk by John Lambert, group manager in
Microsoft's Security Engineering and Communications Group on the
security engineering process behind Windows Vista.
Lambert is expected to hold up Vista as the first end-to-end major
operating system release in the Trustworthy Computing era from
Microsoft. His talk will cover how the Vista engineering process is
different from Windows XP and details from what is described as the
"largest-commercial-pentest-in-the-world."
Lambert plans to give Black Hat researchers a sneak peek at some of
the new mitigations in Vista that combat memory overwrite
vulnerabilities.
Wi-Fi in Vista will also come under the microscope when Noel Anderson,
group manager in Microsoft's wireless networking group, talks about
the way the operating system will handle support for 802.11 wireless
technologies.
Anderson is expected to outline the new UI experience and updated
Wi-Fi default behaviors in Vista and information on a new software
stack that is designed to be more secure, more open and extensible. He
is expected to describe the various components of the stack and show
developers how to create code to modify and extend the client.
Anderson will also outline the different ways Microsoft tests Wi-Fi in
the new operating system.
Also on the Black Hat agenda is a talk by Abolade Gbadegesin, an
architect in Microsoft's Windows Networking and Device Technologies
Division, on the way Microsoft rearchitected and rewrote the TCP/IP
stack in Vista.
Adrian Marinescu, a lead developer in the Windows Kernel group will
outline the enhancements made in Vista's heap manager to show how the
OS has been hardened to thwart certain types of heap usage attacks.
Microsoft previously fitted technology into Windows Server 2003 and
Windows XP SP2 to reduce the reliability of heap usage attacks, but
Marinescu plans to talk about how the heap manager in Vista pushes the
innovation much further in that area. His talk will describe the
challenges the company faced and the technical details of the changes
coming in Vista.
Microsoft's oft-criticized Internet Explorer browser will also get
Black Hat billing this year when IE program manager Tony Chor
discusses the security engineering methodology that is being applied
to the new IE 7. Chor is expected to detail key vulnerabilities and
attacks this methodology revealed, as well as how the new version of
IE will mitigate those threats.
Also on tap is a talk by Andrew Cushman, director of Microsoft's
Security Response, Engineering and Outreach Team, on the way the
company has changed its internal processes to deal with the changing
security landscape.
Microsoft won't be alone shining the spotlight on Vista's security.
Joanna Rutkowska, a renowned researcher specializing in rootkits,
plans to talk about the stealthy malware threats can still be inserted
into the latest Vista Beta 2 kernel (x64 edition).
Rutkowska is expected to show how to bypass the Vista policy for
allowing only digitally signed code to be loaded into the kernel.
From isn at c4i.org Fri Jun 16 04:29:53 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 16 Jun 2006 03:29:53 -0500 (CDT)
Subject: [ISN] Online threats outpacing law crackdowns
Message-ID:
http://news.com.com/Online+threats+outpacing+law+crackdowns/2100-7349_3-6084317.html
By Joris Evers
Staff Writer, CNET News.com
June 15, 2006
SCOTTSDALE, Ariz.--Authorities are cracking down on phishing and
botnets, but the threats are advancing instead of diminishing, two law
enforcement officials said.
Cybercrooks are organizing better and moving to more sophisticated
tactics to get their hands on confidential data and turn PCs of
unwitting users into bots, representatives from the U.S. Department of
Justice and the U.S. Air Force Office of Special Investigations said
in separate presentations here at the Computer Security Institute's
NetSec event this week.
Law enforcement has had increased successes in catching, prosecuting
and convicting phishers and bot herders over the past couple of years.
However, catching the bad guys is getting tougher as the criminals
become more professional, the representatives said.
"We're seeing increasingly sophisticated groups online that are more
indicative of crime groups," Jonathan Rusch, special counsel for fraud
prevention at the Justice Department, said in a presentation. The
criminals who have been caught range from teenagers to retirees, he
said.
Rusch spoke about phishing, a prevalent type of online attack that
combines e-mail spam and fraudulent Web sites made to look like
trusted sites, which are aimed at tricking a user into giving up
sensitive information such as a credit card or Social Security number.
Almost 17,500 phishing Web sites were reported to the Anti-Phishing
Working Group in April.
A top phishing concern is the increased use of malicious software,
Rusch said. Increasingly, phishers use Trojan horses that pack
backdoors, screen grabbers or keystroke loggers to capture log-in
names, passwords and other information, he said. In April, there were
180 unique examples of such malicious code, he said.
Backdoor software gives attackers remote access to an infected PC,
which could let them piggyback onto a user's Internet connection and
conduct online transactions from the victim's PC while masquerading as
the person, Rusch said.
Screen grabbers and keystroke loggers can be programmed to capture
very specific information and are even designed to wait until a user
logs on to a certain banking Web site and send that information to the
attacker.
Malicious software is where phishers intersect with bot herders, those
who run networks of compromised machines, called a bot net. Computers
typically become compromised and turned into a bot, also popularly
called a zombie, after visiting a malicious Web site or opening an
infected e-mail message or attachment. The bot software often nestles
itself on a PC unbeknownst to the user by exploiting an unpatched
security flaw on the system.
Law enforcement has been catching up to bot herders, and there have
been some high-profile convictions. But here, too, the battle is
getting harder, Wendi Whitmore, a special agent with the Air Force
Office of Special Investigations, said in a presentation on botnets.
"Botnets are one of the greatest facilitators of cybercrime these
days. Really the cybercrime arena is wrapped around botnets," she
said.
With ubiquitous broadband connections and exploits for security flaws
in software out before patches, the Internet environment is ideal for
bots or zombies to proliferate, she said. That assertion is backed by
a recent analysis by Microsoft. The software maker found that bots
were the most common Windows threat, with more than 60 percent of
compromised computers running bot code.
A zombie PC can be used by miscreants to store illegal content, such
as child pornography, or in a botnet to relay spam and launch
cyberattacks. Additionally, hackers often steal the victim's data and
install spyware and adware on PCs, to earn a kickback from the spyware
or adware maker.
Practice makes perfect
Meanwhile, bot masters are getting smarter about hiding. Today, most
botnets are controlled using Internet Relay Chat, or IRC, servers and
channels. Soon that could become instant messaging, peer-to-peer
technology or protocols used by Internet phone services such as Skype
or Vonage, Whitmore said.
"That is something that we're worried about because those protocols
are proprietary," she said. "They don't publish routing protocols; it
would be very difficult to catch that kind of crime."
Also, Whitmore expects cybercrooks to maintain smaller botnets with
the hope of staying under the radar. People being caught today operate
networks of as many as 1 million PCs. "There is a greater chance that
you're going to get caught, if you do that much activity and command
and control that many computers," she said.
Cybercriminals are often after data they can turn into cash, such as
credit card numbers or even trade secrets. "If you have a smaller
botnet and you combine that with targeted, really sophisticated social
engineering tactics, you're going to be potentially a lot more
successful," Whitmore said.
The military has seen a rise in such attacks over the last couple of
years, Whitmore said. The attackers know what organizations work
together, which generals would be involved and what issues they would
talk about, she said. It's "incredibly disturbing, because those are
the kinds of things that should be kept somewhat secret," she said.
Law enforcement alone cannot solve the phishing and botnet problems,
Rusch and Whitmore said. The technology industry and consumers have
key parts to play, they said.
"Part of the problem is the way we design the online environment for
users," Rusch said. It should be easier for people to see whether a
site can be trusted or not, he said. Some of that is happening today
with increased security coming in new Web browsers, for example.
A stronger effort to take down phishing Web sites is also welcome, he
said. The average phishing Web site was up for five days in April, and
that's too long, Rusch said.
In fighting bots, Whitmore sees benefits in Internet service providers
delivering security software to their users. "The long-term benefit of
ISPs becoming more involved would be an overall reduction of malicious
code on the Internet, and most of us believe that's a good thing," she
said.
From isn at c4i.org Fri Jun 16 04:30:15 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 16 Jun 2006 03:30:15 -0500 (CDT)
Subject: [ISN] Secunia Weekly Summary - Issue: 2006-24
Message-ID:
========================================================================
The Secunia Weekly Advisory Summary
2006-06-08 - 2006-06-15
This week: 149 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single
vulnerability report is being validated and verified before a Secunia
advisory is written.
Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.
As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.
Secunia Online Vulnerability Database:
http://secunia.com/
========================================================================
2) This Week in Brief:
Tuesday Microsoft issued a total of 12 bulletins.
One of the bulletins addressed the Extremely Critical Word
vulnerability which already has been exploited by malicious malware.
Another addressed the Internet Explorer vulnerability which was
discovered by Secunia Security Researcher Andreas Sandblad while
researching the crash bug reported by Michal Zalewski.
References:
http://secunia.com/SA20153
http://secunia.com/SA19762
--
VIRUS ALERTS:
During the past week Secunia collected 297 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability
2. [SA20595] Microsoft Internet Explorer Multiple Vulnerabilities
3. [SA20639] Microsoft Windows TCP/IP Protocol Driver Buffer Overflow
4. [SA19762] Internet Explorer Exception Handling Memory Corruption
Vulnerability
5. [SA20442] Firefox File Upload Form Keystroke Event Cancel
Vulnerability
6. [SA19521] Internet Explorer Window Loading Race Condition
Vulnerability
7. [SA20543] FilZip Multiple Archive Directory Traversal Vulnerability
8. [SA19738] Internet Explorer "mhtml:" Redirection Disclosure of
Sensitive Information
9. [SA20626] Windows Media Player PNG Processing Buffer Overflow
10. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA20631] Microsoft Windows Graphics Rendering Engine Vulnerability
[SA20626] Windows Media Player PNG Processing Buffer Overflow
[SA20620] Microsoft JScript Memory Corruption Vulnerability
[SA20605] Microsoft Windows ART Image Handling Buffer Overflow
[SA20595] Microsoft Internet Explorer Multiple Vulnerabilities
[SA20575] WinSCP Protocol Handler Command Line Switch Injection
[SA20639] Microsoft Windows TCP/IP Protocol Driver Buffer Overflow
[SA20634] Microsoft Exchange Server Outlook Web Access Script
Insertion
[SA20609] ePhotos Multiple SQL Injection Vulnerabilities
[SA20574] CesarFTP MKD Command Buffer Overflow Vulnerability
[SA20556] MailEnable Enterprise Multiple WebMail Vulnerabilities
[SA20554] My Photo Scrapbook SQL Injection and Cross-Site Scripting
[SA20545] OfficeFlow Cross-Site Scripting and SQL Injection
Vulnerabilities
[SA20517] ASP ListPics Cross-Site Scripting and Script Insertion
[SA20637] Microsoft Windows RPC Mutual Authentication Vulnerability
[SA20630] Microsoft Windows Routing and Remote Access Vulnerabilities
[SA20617] fipsCMS "index.asp" Cross-Site Scripting Vulnerabilities
[SA20614] ClickGallery Cross-Site Scripting Vulnerabilities
[SA20610] i-Gallery Cross-Site Scripting Vulnerabilities
[SA20606] Uphotogallery thumbnails.asp Cross-Site Scripting
[SA20604] Xtreme ASP Photo Gallery Cross-Site Scripting
Vulnerabilities
[SA20603] DwZone Shopping Cart "ProductDetailsForm.asp" Cross-Site
Scripting
[SA20583] Cabacos Web CMS "suchtext" Parameter Cross-Site Scripting
[SA20582] CFXe CMS "voltext_suche" Parameter Cross-Site Scripting
[SA20578] LogiSphere Cross-Site Scripting Vulnerability
[SA20559] fipsGallery "path" Parameter Cross-Site Scripting
Vulnerability
[SA20553] EZGallery Multiple Cross-Site Scripting Vulnerabilities
[SA20544] VanillaSoft Helpdesk "username" Cross-Site Scripting
[SA20543] FilZip Multiple Archive Directory Traversal Vulnerability
[SA20537] WS-Album "FullPhoto.asp" Cross-Site Scripting
Vulnerabilities
[SA20527] ClickCart "cat" Parameter Cross-Site Scripting Vulnerability
[SA20635] Windows SMB Denial of Service and Privilege Escalation
[SA20629] Kaspersky Anti-Virus "klif.sys" Denial of Service
Vulnerability
UNIX/Linux:
[SA20669] Gentoo update for DokuWiki
[SA20592] Zeroboard ".htaccess" File Upload Vulnerability
[SA20569] free QBoard "qb_path" Parameter File Inclusion Vulnerability
[SA20561] Gentoo update for firefox
[SA20689] Ubuntu update for wv2
[SA20683] Slackware update for sendmail
[SA20675] IBM AIX update for Sendmail
[SA20673] SGI IRIX update for sendmail
[SA20671] Debian update for kernel-source-2.4.27
[SA20667] Avaya Products LibTIFF Multiple Vulnerabilities
[SA20665] wvWare wv2 Library Integer Overflow Vulnerability
[SA20654] SUSE update for sendmail
[SA20653] Avaya Products PostgreSQL Multiple Vulnerabilities
[SA20651] FreeBSD update for sendmail
[SA20650] Solaris update for sendmail
[SA20641] Red Hat update for sendmail
[SA20638] Mandriva update for freetype2
[SA20625] Red Hat update for mysql
[SA20624] Red Hat update for mailman
[SA20608] Gentoo update for wordpress
[SA20591] Debian update for freetype
[SA20564] Gentoo update for cscope
[SA20562] Gentoo update for mysql
[SA20555] SUSE update for postgresql
[SA20551] 0verkill Denial of Service Vulnerability
[SA20550] Ubuntu update for binutils
[SA20548] Ubuntu update for courier-mta
[SA20542] Debian update for webcalendar
[SA20541] Debian update for mysql-dfsg-4.1
[SA20531] Trustix updates for binutils / mysql / spamassassin
[SA20525] Ubuntu update for libfreetype6
[SA20520] Debian update for tiff
[SA20519] Courier Mail Server Username Encoding Denial of Service
[SA20658] Gentoo update for asterisk
[SA20566] Gentoo update for Spamassassin
[SA20676] SUSE update for php4 / php5
[SA20672] Debian update for horde3
[SA20627] SUSE Updates for Multiple Packages
[SA20622] Debian update for gforge
[SA20601] P.A.I.D "read" Parameter Cross-Site Scripting Vulnerability
[SA20571] Ubuntu update for libgd2
[SA20563] Gentoo update for jpeg
[SA20677] aRts "artswrapper" Helper Application setuid Security Issue
[SA20674] Ubuntu update for kdm
[SA20660] Red Hat update for kdebase
[SA20636] Gentoo update for gdm
[SA20616] Gentoo update for vixie-cron
[SA20602] KDE KDM Arbitrary File Reading Vulnerability
[SA20587] Mandriva update for gdm
[SA20552] Ubuntu update for gdm
[SA20532] GNOME Display Manager Configuration GUI Access Vulnerability
[SA20549] Ubuntu update for xine-lib
[SA20666] Avaya Products vixie-cron Exposure of Arbitrary Cron Files
Other:
[SA20618] FAST360 Appliance DNS Analysis Denial of Service
[SA20570] FAST360 Appliance HTTP Analysis Bypass Vulnerability
[SA20644] Cisco WebVPN Cross-Site Scripting Vulnerability
[SA20647] Symantec Security Information Manager Authentication Bypass
Cross Platform:
[SA20656] PictureDis Products "lang" Parameter File Inclusion
Vulnerability
[SA20633] Microsoft PowerPoint Malformed Record Vulnerability
[SA20632] Flipper Poll "root_path" File Inclusion Vulnerability
[SA20588] aePartner "dir[data]" File Inclusion Vulnerability
[SA20573] phpCMS "PHPCMS_INCLUDEPATH" File Inclusion Vulnerabilities
[SA20568] webprojectdb "INCDIR" Parameter File Inclusion
Vulnerabilities
[SA20558] AWF CMS "spaw_root" Parameter File Inclusion Vulnerability
[SA20557] Content*Builder File Inclusion Vulnerabilities
[SA20536] Minerva "phpbb_root_path" File Inclusion Vulnerability
[SA20522] Enterprise Payroll Systems "absolutepath" File Inclusion
[SA20687] phpBannerExchange "email" Parameter SQL Injection
[SA20648] TikiWiki Unspecified Cross-Site Scripting and SQL Injection
[SA20646] blur6ex "ID" Parameter SQL Injection Vulnerability
[SA20642] PhpMyFactures Multiple Vulnerabilities
[SA20613] Five Star Review Script Multiple Vulnerabilities
[SA20611] Mobile Space Community Multiple Vulnerabilities
[SA20607] tinyMuw "comment" Script Insertion Vulnerability
[SA20599] MyScrapbook Script Insertion Vulnerabilities
[SA20598] ST AdManager Lite Article Submission Script Insertion
Vulnerability
[SA20597] Coppermine Photo Gallery "add_hit()" SQL Injection
[SA20581] Fast Menu Restaurant Ordering Multiple Vulnerabilities
[SA20576] Adobe Reader Unspecified Vulnerabilities
[SA20547] i.List Cross-Site Scripting and Script Insertion
Vulnerabilities
[SA20535] E-Dating System Multiple Vulnerabilities
[SA20534] CS-Forum Multiple Vulnerabilities
[SA20529] Mafia Moblog "img" Parameter SQL Injection Vulnerability
[SA20526] PBL Guestbook Script Insertion Vulnerabilities
[SA20523] NPDS Local File Inclusion and Cross-Site Scripting
Vulnerabilities
[SA20521] KAPhotoservice Cross-Site Scripting and Script Insertion
[SA20623] iaxComm iaxclient Buffer Overflow Vulnerability
[SA20567] Kiax iaxclient Buffer Overflow Vulnerability
[SA20560] IDE FISK iaxclient Buffer Overflow Vulnerability
[SA20661] Horde Cross-Site Scripting Vulnerabilities
[SA20652] 35mm Slide Gallery Multiple Cross-Site Scripting
Vulnerabilities
[SA20640] Event Registration Multiple Cross-Site Scripting
Vulnerabilities
[SA20621] OkMall "search.php" Cross-Site Scripting Vulnerabilities
[SA20619] iFoto "file" Cross-Site Scripting Vulnerability
[SA20612] Mole Group Ticket Booking Script Cross-Site Scripting
[SA20594] QuickLinks "q" Cross-Site Scripting Vulnerability
[SA20593] OkArticles "q" Cross-Site Scripting Vulnerability
[SA20590] Ringlink "ringid" Cross-Site Scripting Vulnerabilities
[SA20586] Realty Room Rent "sel_menu" Cross-Site Scripting
Vulnerability
[SA20585] ZMS "raw" Parameter Cross-Site Scripting Vulnerability
[SA20584] Realty Home Rent "sel_menu" Cross-Site Scripting
Vulnerability
[SA20580] SubText MultiBlog Admin Logon Security Issue
[SA20577] Sylpheed URI Check Bypass Security Issue
[SA20572] myPHP Guestbook "lang" Cross-Site Scripting
[SA20565] Car Classifieds "make_id" Cross-Site Scripting Vulnerability
[SA20546] EvGenius Counter "page" Parameter Cross-Site Scripting
[SA20540] Chemical Directory Search Functionality Cross-Site Scripting
[SA20539] Easy Ad-Manager "mbid" Parameter Cross-Site Scripting
[SA20538] ViArt Shop Free Cross-Site Scripting Vulnerabilities
[SA20533] vSCAL / vsREAL Cross-Site Scripting Vulnerabilities
[SA20530] Ez Ringtone Manager Cross-Site Scripting Vulnerabilities
[SA20528] IntegraMOD "STYLE_URL" Parameter Cross-Site Scripting
[SA20524] SHOUTcast Server DJ Script Insertion Vulnerabilities
[SA20579] DB2 Universal Database Multiple Denial of Service
Vulnerabilities
[SA20518] Sun Grid Engine CSP Mode Authentication Security Issue
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA20631] Microsoft Windows Graphics Rendering Engine Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-13
Symantec has reported a vulnerability in certain old versions of
Windows, which can be exploited by malicious people to compromise a
user's system.
Full Advisory:
http://secunia.com/advisories/20631/
--
[SA20626] Windows Media Player PNG Processing Buffer Overflow
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-13
iDefense Labs has reported a vulnerability in Windows Media Player,
which can be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/20626/
--
[SA20620] Microsoft JScript Memory Corruption Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-13
A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20620/
--
[SA20605] Microsoft Windows ART Image Handling Buffer Overflow
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-13
A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20605/
--
[SA20595] Microsoft Internet Explorer Multiple Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Spoofing, System access
Released: 2006-06-13
Some vulnerabilities have been reported in Internet Explorer, which can
be exploited by malicious people to conduct phishing attacks and
compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20595/
--
[SA20575] WinSCP Protocol Handler Command Line Switch Injection
Critical: Highly critical
Where: From remote
Impact: Manipulation of data, System access
Released: 2006-06-12
Jelmer Kuperus has discovered a vulnerability in WinSCP, which can be
exploited by malicious people to manipulate certain files on a user's
system and potentially to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20575/
--
[SA20639] Microsoft Windows TCP/IP Protocol Driver Buffer Overflow
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-13
A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20639/
--
[SA20634] Microsoft Exchange Server Outlook Web Access Script
Insertion
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-13
SEC Consult has reported a vulnerability in Microsoft Exchange Server,
which can be exploited by malicious people to conduct script insertion
attacks.
Full Advisory:
http://secunia.com/advisories/20634/
--
[SA20609] ePhotos Multiple SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-13
r0t has reported some vulnerabilities in ePhotos, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20609/
--
[SA20574] CesarFTP MKD Command Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-12
h07 has discovered a vulnerability in CesarFTP, which can be exploited
by malicious users to cause a DoS (Denial of Service) and potentially
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20574/
--
[SA20556] MailEnable Enterprise Multiple WebMail Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Privilege escalation
Released: 2006-06-12
Soroush Dalili has discovered some vulnerabilities in MailEnable
Enterprise, which potentially can be exploited by malicious users to
gain escalated privileges, and by malicious people and users to bypass
certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20556/
--
[SA20554] My Photo Scrapbook SQL Injection and Cross-Site Scripting
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-09
r0t has reported some vulnerabilities in My Photo Scrapbook, which can
be exploited by malicious people to conduct cross-site scripting and
SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20554/
--
[SA20545] OfficeFlow Cross-Site Scripting and SQL Injection
Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-09
r0t has reported two vulnerabilities in OfficeFlow, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/20545/
--
[SA20517] ASP ListPics Cross-Site Scripting and Script Insertion
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-09
Two vulnerabilities have been reported in ASP ListPics, which can be
exploited by malicious people to conduct cross-site scripting and
script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20517/
--
[SA20637] Microsoft Windows RPC Mutual Authentication Vulnerability
Critical: Moderately critical
Where: From local network
Impact: Spoofing
Released: 2006-06-13
A vulnerability has been reported in Microsoft Windows, which can be
exploited by malicious people to spoof a valid RPC server.
Full Advisory:
http://secunia.com/advisories/20637/
--
[SA20630] Microsoft Windows Routing and Remote Access Vulnerabilities
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2006-06-13
Two vulnerabilities have been reported in Microsoft Windows, which can
be exploited by malicious people or users to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/20630/
--
[SA20617] fipsCMS "index.asp" Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
r0t has reported some vulnerabilities in fipsCMS, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20617/
--
[SA20614] ClickGallery Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-13
r0t has reported two vulnerabilities in ClickGallery, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20614/
--
[SA20610] i-Gallery Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-13
r0t has reported some vulnerabilities in i-Gallery, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20610/
--
[SA20606] Uphotogallery thumbnails.asp Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-13
r0t has reported a vulnerability in Uphotogallery, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20606/
--
[SA20604] Xtreme ASP Photo Gallery Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-13
r0t has discovered some vulnerabilities in Xtreme ASP Photo Gallery,
which can be exploited by malicious people to conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/20604/
--
[SA20603] DwZone Shopping Cart "ProductDetailsForm.asp" Cross-Site
Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-13
r0t has reported two vulnerabilities in DwZone Shopping Cart, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20603/
--
[SA20583] Cabacos Web CMS "suchtext" Parameter Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
David "Aesthetico" Vieira-Kurz has reported a vulnerability in Cabacos
Web CMS, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20583/
--
[SA20582] CFXe CMS "voltext_suche" Parameter Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
David "Aesthetico" Vieira-Kurz has reported a vulnerability in CFXe
CMS, which can be exploited by malicious people to conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/20582/
--
[SA20578] LogiSphere Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
Ziv Kamir has discovered a vulnerability in LogiSphere, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20578/
--
[SA20559] fipsGallery "path" Parameter Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
r0t has reported a vulnerability in fipsGallery, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20559/
--
[SA20553] EZGallery Multiple Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
r0t has reported some vulnerabilities in EZGallery, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20553/
--
[SA20544] VanillaSoft Helpdesk "username" Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-09
r0t has reported a vulnerability in VanillaSoft Helpdesk, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20544/
--
[SA20543] FilZip Multiple Archive Directory Traversal Vulnerability
Critical: Less critical
Where: From remote
Impact: System access
Released: 2006-06-09
Claus Berghamer has discovered a vulnerability in FilZip, which
potentially can be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/20543/
--
[SA20537] WS-Album "FullPhoto.asp" Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
r0t has discovered some vulnerabilities in WS-Album, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20537/
--
[SA20527] ClickCart "cat" Parameter Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
r0t has reported a vulnerability in ClickCart, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20527/
--
[SA20635] Windows SMB Denial of Service and Privilege Escalation
Critical: Less critical
Where: Local system
Impact: Privilege escalation, DoS
Released: 2006-06-13
Ruben Santamarta has reported two vulnerabilities in Microsoft Windows,
which can be exploited by malicious, local users to cause a DoS (Denial
of Service) and gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/20635/
--
[SA20629] Kaspersky Anti-Virus "klif.sys" Denial of Service
Vulnerability
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2006-06-14
Skywing has discovered a vulnerability in Kaspersky Anti-Virus, which
potentially can be exploited by malicious, local users to cause a DoS
(Denial of Service).
Full Advisory:
http://secunia.com/advisories/20629/
UNIX/Linux:--
[SA20669] Gentoo update for DokuWiki
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Exposure of sensitive information, System
access
Released: 2006-06-15
Gentoo has issued an update for DokuWiki. This fixes some
vulnerabilities, which can be exploited by malicious users to bypass
certain security restrictions and by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/20669/
--
[SA20592] Zeroboard ".htaccess" File Upload Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-13
Richard Son has discovered a vulnerability in Zeroboard, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20592/
--
[SA20569] free QBoard "qb_path" Parameter File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-12
Kacper has reported a vulnerability in free QBoard, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20569/
--
[SA20561] Gentoo update for firefox
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, System access
Released: 2006-06-12
Gentoo has issued an update for firefox. This fixes multiple
vulnerabilities, which can be exploited by malicious people to bypass
certain security restrictions, conduct cross-site scripting and HTTP
response smuggling attacks, and potentially compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/20561/
--
[SA20689] Ubuntu update for wv2
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-06-15
Ubuntu has issued an update for wv2. This fixes a vulnerability, which
potentially can be exploited by malicious people to compromise an
application using the library.
Full Advisory:
http://secunia.com/advisories/20689/
--
[SA20683] Slackware update for sendmail
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-15
Slackware has issued an update for sendmail. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20683/
--
[SA20675] IBM AIX update for Sendmail
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-15
IBM has acknowledged a vulnerability in sendmail, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20675/
--
[SA20673] SGI IRIX update for sendmail
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-15
SGI has issued an update for sendmail. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20673/
--
[SA20671] Debian update for kernel-source-2.4.27
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Exposure of system information, Exposure
of sensitive information, DoS
Released: 2006-06-15
Debian has issued an update for kernel-source-2.4.27. This fixes some
vulnerabilities and weaknesses, which can be exploited by malicious,
local users to bypass certain security restrictions, disclose
potentially sensitive information and cause a DoS (Denial of Service),
and by malicious people to bypass certain security restrictions, gain
knowledge of certain system information, and cause a DoS.
Full Advisory:
http://secunia.com/advisories/20671/
--
[SA20667] Avaya Products LibTIFF Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-14
Avaya has acknowledged some vulnerabilities in various Avaya products,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20667/
--
[SA20665] wvWare wv2 Library Integer Overflow Vulnerability
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-06-15
A vulnerability has been reported in wvWare wv2 Library, which
potentially can be exploited by malicious people to compromise an
application using the library.
Full Advisory:
http://secunia.com/advisories/20665/
--
[SA20654] SUSE update for sendmail
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-15
SUSE has issued an update for sendmail. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20654/
--
[SA20653] Avaya Products PostgreSQL Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Manipulation of data
Released: 2006-06-14
Avaya has acknowledged two vulnerabilities and a weakness in various
Avaya products, which potentially can be exploited by malicious, local
users to bypass certain security restrictions, and by malicious people
to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20653/
--
[SA20651] FreeBSD update for sendmail
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-15
FreeBSD has issued an update for sendmail. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20651/
--
[SA20650] Solaris update for sendmail
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-15
Sun has acknowledged an update for sendmail. This fixes a
vulnerability, which can be exploited by malicious people to cause a
DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20650/
--
[SA20641] Red Hat update for sendmail
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-15
Red Hat has issued an update for sendmail. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20641/
--
[SA20638] Mandriva update for freetype2
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-13
Mandriva has issued an update for freetype2. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/20638/
--
[SA20625] Red Hat update for mysql
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Manipulation of data, Exposure of
sensitive information
Released: 2006-06-12
Red Hat has issued an update for mysql. This fixes a security issue and
some vulnerabilities, which can be exploited by malicious users to
bypass certain security restrictions and to disclose potentially
sensitive information, and potentially by malicious people to conduct
SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20625/
--
[SA20624] Red Hat update for mailman
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-12
Red Hat has issued an update for mailman. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20624/
--
[SA20608] Gentoo update for wordpress
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-06-12
Gentoo has issued an update for wordpress. This fixes a vulnerability,
which can be exploited by malicious users to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/20608/
--
[SA20591] Debian update for freetype
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-12
Debian has issued an update for freetype. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/20591/
--
[SA20564] Gentoo update for cscope
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-06-12
Gentoo has issued an update for cscope. This fixes a vulnerability,
which can be exploited by malicious people to potentially compromise a
user's system.
Full Advisory:
http://secunia.com/advisories/20564/
--
[SA20562] Gentoo update for mysql
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-12
Gentoo has issued an update for MySQL. This fixes a vulnerability,
which potentially can be exploited by malicious people to conduct SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/20562/
--
[SA20555] SUSE update for postgresql
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-12
SUSE has issued an update for postgresql. This fixes two
vulnerabilities, which potentially can be exploited by malicious people
to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20555/
--
[SA20551] 0verkill Denial of Service Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-09
Federico Fazzi has discovered a vulnerability in 0verkill, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20551/
--
[SA20550] Ubuntu update for binutils
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-09
Ubuntu has issued an update for binutils. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20550/
--
[SA20548] Ubuntu update for courier-mta
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-09
Ubuntu has issued an update for courier-mta. This fixes a
vulnerability, which potentially can be exploited by malicious people
to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20548/
--
[SA20542] Debian update for webcalendar
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Exposure of sensitive information
Released: 2006-06-13
Debian has issued an update for webcalendar. This fixes a
vulnerability, which can be exploited by malicious people to bypass
certain security restrictions and disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/20542/
--
[SA20541] Debian update for mysql-dfsg-4.1
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-09
Debian has issued an update for mysql-dfsg-4.1. This fixes a
vulnerability, which potentially can be exploited by malicious people
to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20541/
--
[SA20531] Trustix updates for binutils / mysql / spamassassin
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, DoS, System access
Released: 2006-06-09
Trustix has issued updates for binutils, mysql, and spamassassin. These
fix some vulnerabilities, which can be exploited by malicious people to
conduct SQL injection attacks, cause a DoS (Denial of Service), and
potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20531/
--
[SA20525] Ubuntu update for libfreetype6
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-09
Ubuntu has issued an update for libfreetype6. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/20525/
--
[SA20520] Debian update for tiff
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-08
Debian has issued an update for tiff. This fixes a vulnerability, which
can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20520/
--
[SA20519] Courier Mail Server Username Encoding Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-08
A vulnerability has been reported in Courier Mail Server, which
potentially can be exploited by malicious people to cause a DoS (Denial
of Service).
Full Advisory:
http://secunia.com/advisories/20519/
--
[SA20658] Gentoo update for asterisk
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2006-06-15
Gentoo has issued an update for asterisk. This fixes a vulnerability,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/20658/
--
[SA20566] Gentoo update for Spamassassin
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2006-06-12
Gentoo has issued an update for spamassassin. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20566/
--
[SA20676] SUSE update for php4 / php5
Critical: Less critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-15
SUSE has issued an update for php. This fixes some vulnerabilities,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service) or to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20676/
--
[SA20672] Debian update for horde3
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-15
Debian has issued an update for horde3. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20672/
--
[SA20627] SUSE Updates for Multiple Packages
Critical: Less critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting
Released: 2006-06-12
SUSE has issued updates for multiple packages. These fix
vulnerabilities, which can be exploited by malicious, local users to
bypass certain security restrictions and by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20627/
--
[SA20622] Debian update for gforge
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
Debian has issued an update for gforge. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20622/
--
[SA20601] P.A.I.D "read" Parameter Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-13
luny has reported a vulnerability in P.A.I.D, which can be exploited by
malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20601/
--
[SA20571] Ubuntu update for libgd2
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2006-06-14
Ubuntu has issued an update for libgd2. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service) against applications and services using libgd2.
Full Advisory:
http://secunia.com/advisories/20571/
--
[SA20563] Gentoo update for jpeg
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2006-06-12
Gentoo has issued an update for jpeg. This fixes a security issue,
which potentially can be malicious people to cause a DoS (Denial of
Service) against applications and services using the jpeg library.
Full Advisory:
http://secunia.com/advisories/20563/
--
[SA20677] aRts "artswrapper" Helper Application setuid Security Issue
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-06-15
A security issue has been reported in aRts, which potentially can be
exploited by malicious, local users to perform certain actions with
escalated privileges.
Full Advisory:
http://secunia.com/advisories/20677/
--
[SA20674] Ubuntu update for kdm
Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2006-06-15
Ubuntu has issued an update for kdm. This fixes a vulnerability, which
can be exploited by malicious, local users to gain knowledge of
sensitive information.
Full Advisory:
http://secunia.com/advisories/20674/
--
[SA20660] Red Hat update for kdebase
Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2006-06-15
Red Hat has issued an update for kdm. This fixes a vulnerability, which
can be exploited by malicious, local users to gain knowledge of
sensitive information.
Full Advisory:
http://secunia.com/advisories/20660/
--
[SA20636] Gentoo update for gdm
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2006-06-13
Gentoo has issued an update for gdm. This fixes a vulnerability, which
can be exploited by malicious, local users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/20636/
--
[SA20616] Gentoo update for vixie-cron
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-06-12
Gentoo has issued an update for vixie-cron. This fixes a security
issue, which potentially can be exploited by malicious, local users to
perform certain actions with escalated privileges.
Full Advisory:
http://secunia.com/advisories/20616/
--
[SA20602] KDE KDM Arbitrary File Reading Vulnerability
Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2006-06-15
A vulnerability has been reported in KDE, which can be exploited by
malicious, local users to gain knowledge of sensitive information.
Full Advisory:
http://secunia.com/advisories/20602/
--
[SA20587] Mandriva update for gdm
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2006-06-14
Mandriva has issued an update for gdm. This fixes a vulnerability,
which can be exploited by malicious, local users to bypass certain
security restrictions.
Full Advisory:
http://secunia.com/advisories/20587/
--
[SA20552] Ubuntu update for gdm
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2006-06-09
Ubuntu has issued an update for gdm. This fixes a vulnerability, which
can be exploited by malicious, local users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/20552/
--
[SA20532] GNOME Display Manager Configuration GUI Access Vulnerability
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2006-06-09
Victor Daniel has reported a vulnerability in GNOME Display Manager
(GDM), which can be exploited by malicious, local users to bypass
certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20532/
--
[SA20549] Ubuntu update for xine-lib
Critical: Not critical
Where: From remote
Impact: DoS
Released: 2006-06-09
Ubuntu has issued an update for xine-lib. This fixes a weakness, which
can be exploited by malicious people to crash certain applications on a
user's system.
Full Advisory:
http://secunia.com/advisories/20549/
--
[SA20666] Avaya Products vixie-cron Exposure of Arbitrary Cron Files
Critical: Not critical
Where: Local system
Impact: Exposure of system information
Released: 2006-06-14
Avaya has acknowledged a vulnerability in various products, which can
be exploited by malicious, local users to read arbitrary cron files.
Full Advisory:
http://secunia.com/advisories/20666/
Other:--
[SA20618] FAST360 Appliance DNS Analysis Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-12
A vulnerability has been reported in FAST360 Appliance, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20618/
--
[SA20570] FAST360 Appliance HTTP Analysis Bypass Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2006-06-12
A vulnerability has been reported in FAST360 Appliance, which can be
exploited by malicious people to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20570/
--
[SA20644] Cisco WebVPN Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-14
A vulnerability has been reported in Cisco WebVPN, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20644/
--
[SA20647] Symantec Security Information Manager Authentication Bypass
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2006-06-14
A vulnerability has been reported in Symantec Security Information
Manager, which can be exploited by malicious, local users to bypass
certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20647/
Cross Platform:--
[SA20656] PictureDis Products "lang" Parameter File Inclusion
Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-15
spykids has discovered some vulnerabilities in PictureDis products,
which can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/20656/
--
[SA20633] Microsoft PowerPoint Malformed Record Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-13
A vulnerability has been reported in Microsoft PowerPoint, which can be
exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20633/
--
[SA20632] Flipper Poll "root_path" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-15
SpC-x has reported a vulnerability in Flipper Poll, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20632/
--
[SA20588] aePartner "dir[data]" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-12
Kacper has discovered a vulnerability in aePartner, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20588/
--
[SA20573] phpCMS "PHPCMS_INCLUDEPATH" File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-13
Federico Fazzi has discovered some vulnerabilities in phpCMS, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20573/
--
[SA20568] webprojectdb "INCDIR" Parameter File Inclusion
Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-12
Kacper has discovered two vulnerabilities in webprojectdb, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20568/
--
[SA20558] AWF CMS "spaw_root" Parameter File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-12
Federico Fazzi has discovered a vulnerability in AWF CMS, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20558/
--
[SA20557] Content*Builder File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-12
Some vulnerabilities have been reported in Content*Builder, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20557/
--
[SA20536] Minerva "phpbb_root_path" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-13
Kacper has discovered a vulnerability in Minerva, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20536/
--
[SA20522] Enterprise Payroll Systems "absolutepath" File Inclusion
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-09
Kacper has discovered two vulnerabilities in Enterprise Payroll
Systems, which can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/20522/
--
[SA20687] phpBannerExchange "email" Parameter SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-15
RedTeam has reported a vulnerability in phpBannerExchange, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20687/
--
[SA20648] TikiWiki Unspecified Cross-Site Scripting and SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-14
securitynews has reported some vulnerabilities in TikiWiki, which can
be exploited by malicious people to conduct cross-site scripting and
SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20648/
--
[SA20646] blur6ex "ID" Parameter SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-14
rgod has reported a vulnerability in blue6ex, which can be exploited by
malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20646/
--
[SA20642] PhpMyFactures Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Manipulation of
data
Released: 2006-06-14
DarkFig has discovered some vulnerabilities in PhpMyFactures, which can
be exploited by malicious people to conduct cross-site scripting and SQL
injection attacks, and to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20642/
--
[SA20613] Five Star Review Script Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-14
luny has reported some vulnerabilities in Five Star Review Script,
which can be exploited by malicious users to conduct script insertion
attacks and by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20613/
--
[SA20611] Mobile Space Community Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, Exposure of
sensitive information
Released: 2006-06-13
luny has reported some vulnerabilities in Mobile Space Community, which
can be exploited by malicious people to conduct script insertion and SQL
injection attacks, and potentially disclose sensitive information.
Full Advisory:
http://secunia.com/advisories/20611/
--
[SA20607] tinyMuw "comment" Script Insertion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-13
luny has reported a vulnerability in tinyMuw, which can be exploited by
malicious users to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20607/
--
[SA20599] MyScrapbook Script Insertion Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-13
luny has reported two vulnerabilities in MyScrapbook, which can be
exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20599/
--
[SA20598] ST AdManager Lite Article Submission Script Insertion
Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
luny has reported a vulnerability in ST AdManager Lite, which can be
exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20598/
--
[SA20597] Coppermine Photo Gallery "add_hit()" SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-13
imei addmimistrator has discovered two vulnerabilities in Coppermine
Photo Gallery, which can be exploited by malicious people to conduct
SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20597/
--
[SA20581] Fast Menu Restaurant Ordering Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-14
luny has reported some vulnerabilities in Fast Menu Restaurant
Ordering, which can be exploited by malicious people to conduct
cross-site scripting attacks and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20581/
--
[SA20576] Adobe Reader Unspecified Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Unknown
Released: 2006-06-15
Some vulnerabilities with unknown impacts have been reported in Adobe
Reader.
Full Advisory:
http://secunia.com/advisories/20576/
--
[SA20547] i.List Cross-Site Scripting and Script Insertion
Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-09
David 'Aesthetico' Vieira-Kurz has discovered some vulnerabilities in
i.List, which can be exploited by malicious people to conduct
cross-site scripting and script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20547/
--
[SA20535] E-Dating System Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Exposure of system information,
Exposure of sensitive information
Released: 2006-06-09
luny has reported some vulnerabilities and a security issue in E-Dating
System, which can be exploited by malicious people to conduct cross-site
scripting and script insertion attacks, and disclose sensitive
information.
Full Advisory:
http://secunia.com/advisories/20535/
--
[SA20534] CS-Forum Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, Exposure of
system information, Security Bypass
Released: 2006-06-13
DarkFig has reported some vulnerabilities in CS-Forum, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks, and use it as an open mail relay.
Full Advisory:
http://secunia.com/advisories/20534/
--
[SA20529] Mafia Moblog "img" Parameter SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-09
Simo64 has discovered a vulnerability in Mafia Moblog, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20529/
--
[SA20526] PBL Guestbook Script Insertion Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-09
luny has discovered some vulnerabilities in PBL Guestbook, which can be
exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20526/
--
[SA20523] NPDS Local File Inclusion and Cross-Site Scripting
Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Exposure of system information,
Exposure of sensitive information
Released: 2006-06-09
DarkFig has discovered some vulnerabilities in NPDS, which can be
exploited by malicious people to conduct cross-site scripting attacks
and to disclose potentially sensitive information.
Full Advisory:
http://secunia.com/advisories/20523/
--
[SA20521] KAPhotoservice Cross-Site Scripting and Script Insertion
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-09
r0t has reported some vulnerabilities in KAPhotoservice, which can be
exploited by malicious people to conduct cross-site scripting and
script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20521/
--
[SA20623] iaxComm iaxclient Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2006-06-12
Two vulnerabilities have been reported in iaxComm, which can be
exploited by malicious people to cause a DoS (Denial of Service) and
potentially to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20623/
--
[SA20567] Kiax iaxclient Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From local network
Impact: System access, DoS
Released: 2006-06-12
Two vulnerabilities have been reported in Kiax, which can be exploited
by malicious people to cause a DoS (Denial of Service) and potentially
to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20567/
--
[SA20560] IDE FISK iaxclient Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From local network
Impact: DoS, System access
Released: 2006-06-12
Two vulnerabilities have been reported in IDE FISK (IDEFISK), which can
be exploited by malicious people to cause a DoS (Denial of Service) and
potentially to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20560/
--
[SA20661] Horde Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-15
Some vulnerabilities have been reported in Horde, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20661/
--
[SA20652] 35mm Slide Gallery Multiple Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-15
black-code has reported some vulnerabilities in 35mm Slide Gallery,
which can be exploited by malicious people to conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/20652/
--
[SA20640] Event Registration Multiple Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-14
luny has reported some vulnerabilities in Event Registration, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20640/
--
[SA20621] OkMall "search.php" Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
luny has reported some vulnerabilities in OkMall, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20621/
--
[SA20619] iFoto "file" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
luny has discovered a vulnerability in iFoto, which can be exploited by
malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20619/
--
[SA20612] Mole Group Ticket Booking Script Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-13
luny has reported a vulnerability Mole Group Ticket Booking Script,
which can be exploited by malicious people to conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/20612/
--
[SA20594] QuickLinks "q" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
luny has reported a vulnerability in QuickLinks, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20594/
--
[SA20593] OkArticles "q" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
luny has reported a vulnerability in OkArticles, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20593/
--
[SA20590] Ringlink "ringid" Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
luny has reported some vulnerabilities in Ringlink, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20590/
--
[SA20586] Realty Room Rent "sel_menu" Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-14
luny has reported a vulnerability in Realty Room Rent, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20586/
--
[SA20585] ZMS "raw" Parameter Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-12
David "Aesthetico" Vieira-Kurz has discovered a vulnerability in ZMS,
which can be exploited by malicious people to conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/20585/
--
[SA20584] Realty Home Rent "sel_menu" Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-14
luny has reported a vulnerability in Realty Home Rent, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20584/
--
[SA20580] SubText MultiBlog Admin Logon Security Issue
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2006-06-12
A security issue has been reported in SubText, which can be exploited
by malicious users to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20580/
--
[SA20577] Sylpheed URI Check Bypass Security Issue
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2006-06-12
A security issue has been reported in Sylpheed, which potentially can
be exploited by malicious people to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/20577/
--
[SA20572] myPHP Guestbook "lang" Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-13
x0r_1 has discovered a vulnerability in myPHP Guestbook, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20572/
--
[SA20565] Car Classifieds "make_id" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-14
luny has reported a vulnerability in Car Classifieds, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20565/
--
[SA20546] EvGenius Counter "page" Parameter Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-13
r0t has reported two vulnerabilities in EvGenius Counter, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20546/
--
[SA20540] Chemical Directory Search Functionality Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-09
luny has reported a vulnerability in Chemical Directory, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20540/
--
[SA20539] Easy Ad-Manager "mbid" Parameter Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-09
luny has reported a vulnerability in Easy Ad-Manager, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20539/
--
[SA20538] ViArt Shop Free Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-09
John Cobb has discovered two vulnerabilities in ViArt Shop Free, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20538/
--
[SA20533] vSCAL / vsREAL Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-09
luny has reported two vulnerabilities in vSCAL and vsREAL, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20533/
--
[SA20530] Ez Ringtone Manager Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-09
luny has reported two vulnerabilities in Ez Ringtone Manager, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20530/
--
[SA20528] IntegraMOD "STYLE_URL" Parameter Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-09
ahwaz has discovered a vulnerability in IntegraMOD, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20528/
--
[SA20524] SHOUTcast Server DJ Script Insertion Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-09
UZUZZ has discovered some vulnerabilities in SHOUTcast, which can be
exploited by malicious users to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20524/
--
[SA20579] DB2 Universal Database Multiple Denial of Service
Vulnerabilities
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2006-06-14
Some vulnerabilities has been reported in DB2, which can be exploited
by malicious people and users to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20579/
--
[SA20518] Sun Grid Engine CSP Mode Authentication Security Issue
Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2006-06-08
A security issue has been reported in Sun Grid Engine, which can be
exploited by malicious, local users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/20518/
========================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Subscribe:
http://secunia.com/secunia_weekly_summary/
Contact details:
Web : http://secunia.com/
E-mail : support at secunia.com
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45
From isn at c4i.org Fri Jun 16 04:30:56 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 16 Jun 2006 03:30:56 -0500 (CDT)
Subject: [ISN] Study: Sarbanes-Oxley forcing some companies to consider
going private
Message-ID:
http://www.networkworld.com/news/2006/061506-sarbanes-oxley.html
By Ann Bednarz
NetworkWorld.com
06/15/06
Faced with the costs to comply with the Sarbanes-Oxley Act, some
public companies are looking at going private, even though the costs
fell slightly in 2005.
Fed up with the Sarbanes-Oxley burden, 21% of companies that responded
to law firm Foley & Lardner's latest study said they are considering
going private. Other options respondents are considering include
selling the company (10%) and merging with another company (8%).
Meanwhile, costs associated with corporate governance reform dropped
16% for companies with less than $1 billion in annual revenue and 6%
for companies with greater than $1 billion in annual revenue, reports
Foley & Lardner in its fourth annual Sarbanes-Oxley study, released
Thursday.
The savings stem from decreased productivity losses, legal fees and
initial setup costs. However, audit fees increased, as did the cost of
board compensation and liability insurance for directors and officers.
Many industry watchers expected audit fees would drop during public
companies' second year of complying with Sarbanes-Oxley Section 404,
which requires companies to attest to the effectiveness of controls
put in place to protect financial reporting systems and processes.
Instead, they increased: Audit fees rose 22% for small companies, 6%
for midsize companies and 4% for large companies (as defined by
Standard & Poor's indices).
Smaller public companies, in particular, felt the burden of increased
audit costs, said Tom Hartman, corporate governance study director and
business law partner at Foley & Lardner, in a teleconference. "The
increase is disproportionately impacting smaller companies," he said.
The fees companies pay their directors also have climbed considerably
as a result of corporate governance and public disclosure reforms
implemented since the enactment of Sarbanes-Oxley. Overall annual
director fees have increased an average of 71% for small companies,
64% for midsize companies, and 58% for large companies between 2001
and 2005.
When all the expenses are tallied, companies with under $1 billion in
revenue spent an average of $2.9 million to comply with Sarbanes-Oxley
in 2005, and companies with greater than $1 billion in revenue spent
$11.5 million.
For companies of all sizes, audit fees represent the biggest portion
of those expenses, followed by the cost of lost productivity. While
down from 2004 levels, lost productivity nonetheless cost each small
company $563,000 and each large company $2.5 million in 2005, on
average, Hartman said.
Many companies polled think the Sarbanes-Oxley legislation is
overkill. A clear majority (82%) said corporate governance and public
disclosure reforms are too strict. For the first time in four years,
not a single respondent said the reforms are not strict enough,
Hartman said.
Foley & Lardner's study includes data from 114 survey respondents and
850 proxy statements of public companies. Full study results are
available on Foley & Lardner's Web site [1].
[1] http://www.foley.com/2006publicstudy
All contents copyright 1995-2006 Network World, Inc.
From isn at c4i.org Mon Jun 19 03:40:54 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 19 Jun 2006 02:40:54 -0500 (CDT)
Subject: [ISN] Linux Advisory Watch - June 16th 2006
Message-ID:
+---------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| June 16th, 2006 Volume 7, Number 25n |
| |
| Editorial Team: Dave Wreski dave at linuxsecurity.com |
| Benjamin D. Thomas ben at linuxsecurity.com |
+---------------------------------------------------------------------+
Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.
This week, advisories were released for freetype, webcalendar,
kernel, horde3, horde2, wv2, subversion, ruby, squid, dovecot,
gdm, autofs, shadow-utils, rsync, mysql, python, scim, freetype2,
squirrelmail, libtiff, spamassassin, sendmail, mailman, kdebase,
postgresql, and php. The distributors include Debian, Fedora,
Mandriva, Red Hat, and SuSE.
---
Security on your mind?
Protect your home and business networks with the free, community
version of EnGarde Secure Linux. Don't rely only on a firewall to
protect your network, because firewalls can be bypassed. EnGarde
Secure Linux is a security-focused Linux distribution made to protect
your users and their data.
The security experts at Guardian Digital fortify every download of
EnGarde Secure Linux with eight essential types of open source
packages. Then we configure those packages to provide maximum
security for tasks such as serving dynamic websites, high
availability mail, transport, network intrusion detection,
and more. The result for you is high security, easy
administration, and automatic updates.
The Community edition of EnGarde Secure Linux is completely
free and open source. Updates are also freely available when
you register with the Guardian Digital Secure Network.
http://www.engardelinux.org/modules/index/register.cgi
---
How To Break Web Software
By: Eric Lubow
With a tool so widely used by so many different types of people
like the World Wide Web, it is necessary for everyone to
understand as many aspects as possible about its functionality.
>From web designers to web developers to web users, this is a must
read. Security is a job for everyone and How To Break Web Software
by Mike Andrews and James A. Whittaker is written for everyone
to understand.
Although this book may be geared more towards the developer,
it is really a book for everyone. As I mentioned before, security
is everyone's responsibility. The ideas, concepts, and procedures
outlined in this book are things that even just the average user
should be able to pick up on and alert the webmaster of in order
to prevent potential disaster.
It is necessary to keep in mind that this book, although
seemingly full of information on how to attack web sites and
bring down servers is for informational and educational
purposes. It is to inform the developers of common programming
and design mistakes. It is also to ensure that common users with
no malicious intent can spot problems in design and nip them in
the bud before the problems become catastrophic.
The book begins by very basically showing the reader in no
uncertain terms the basic concepts that are going to be outlined
through the book. The first idea to geteveryone on the same page
with client-server relationships and general information about
the world wide web.
One of the most important aspects of an attack is knowing your
victim. The first informational chapter in this book discusses
gathering information on a potential target. Just as with all
forthcoming chapters, this one begins with the obvious
information and progresses into the more obscure, less thought
about topics.
Once the information has been gathered, either via source code,
URLs, or any other method that potentially puts information out
in the open, the attacks can begin. There are many way in which
these attacks can happen. The authors begin by discussing
attacks on the user (client) input and how validation needs
to occur or the input needs to be sanitized. They then move
on to talk about state based attacks, either through CGI
parameters or hidden fields within forms. These ideas were
also extended to discuss cookie poisoning, URL jumping, and
session hijacking (can also include man in the middle attacks).
Without all this information consistently being checked and
verified, it is possible to for those with malintent to
inject information into a session.
http://www.linuxsecurity.com/content/view/122713/49/
----------------------
Linux File & Directory Permissions Mistakes
One common mistake Linux administrators make is having file and
directory permissions that are far too liberal and allow access
beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this
article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one
is available right here on linuxsecurity.com.
http://www.linuxsecurity.com/content/view/119415/49/
--------
--> Take advantage of the LinuxSecurity.com Quick Reference Card!
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf
+---------------------------------+
| Distribution: Debian | ----------------------------//
+---------------------------------+
* Debian: New freetype packages fix several vulnerabilities
10th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123074
* Debian: New webcalendar packages fix arbitrary code execution
13th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123114
* Debian: New Kernel 2.4.27 packages fix several vulnerabilities
14th, June, 2006
Several local and remote vulnerabilities have been discovered in the
Linux kernel that may lead to a denial of service or the execution of
arbitrary code.
http://www.linuxsecurity.com/content/view/123139
* Debian: New horde3 packages fix cross-site scripting
14th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123152
* Debian: New horde2 packages fix cross-site scripting
14th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123153
* Debian: New wv2 packages fix integer overflow
15th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123160
+---------------------------------+
| Distribution: Fedora | ----------------------------//
+---------------------------------+
* Fedora Core 5 Update: subversion-1.3.2-2.1
9th, June, 2006
This update includes the latest upstream release of Subversion, which
fixes a number of minor bugs.
http://www.linuxsecurity.com/content/view/123068
* Fedora Core 4 Update: ruby-1.8.4-2.fc4
9th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123069
* Fedora Core 5 Update: squid-2.5.STABLE14-2.FC5
9th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123070
* Fedora Core 5 Update: ruby-1.8.4-5.fc5
9th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123071
* Fedora Core 5 Update: dovecot-1.0-0.beta8.2.fc5
9th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123072
* Fedora Core 5 Update: gdm-2.14.8-1
9th, June, 2006
This update also upgrades GDM to version 2.14.8.
http://www.linuxsecurity.com/content/view/123073
* Fedora Core 5 Update: autofs-4.1.4-25
11th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123075
* Fedora Core 4 Update: autofs-4.1.4-24
11th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123076
* Fedora Core 4 Update: kernel-2.6.16-1.2115_FC4
11th, June, 2006
An update to the upstream 2.6.16.20 release, fixing up a few more
security related problems.
http://www.linuxsecurity.com/content/view/123077
* Fedora Core 5 Update: kernel-2.6.16-1.2133_FC5
11th, June, 2006
An update to the upstream 2.6.16.20 release, fixing up a few more
security related problems.
http://www.linuxsecurity.com/content/view/123078
* Fedora Core 5 Update: shadow-utils-4.0.14-9.FC5
12th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123107
* Fedora Core 5 Update: rsync-2.6.8-1.FC5.1
12th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123112
* Fedora Core 4 Update: rsync-2.6.8-1.FC4.1
12th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123113
* Fedora Core 5 Update: mysql-5.0.22-1.FC5.1
13th, June, 2006
Repairs vulnerability in multibyte string escaping.
http://www.linuxsecurity.com/content/view/123123
* Fedora Core 4 Update: mysql-4.1.20-1.FC4.1
13th, June, 2006
Repairs multibyte string escaping vulnerability.
http://www.linuxsecurity.com/content/view/123124
* Fedora Core 5 Update: python-2.4.3-4.FC5
13th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123125
* Fedora Core 5 Update: scim-1.4.4-9.4.fc5
13th, June, 2006
This update fixes broken libtool linking of libs to be against
libstdc++so7.
http://www.linuxsecurity.com/content/view/123126
* Fedora Core 5 Update: python-docs-2.4.3-0.9.FC5
14th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123158
+---------------------------------+
| Distribution: Mandriva | ----------------------------//
+---------------------------------+
* Mandriva: Updated freetype2 packages fixes multiple
vulnerabilities.
12th, June, 2006
Integer underflow in Freetype before 2.2 allows remote attackers to
cause a denial of service (crash) via a font file with an odd number
of blue values, which causes the underflow when decrementing by 2 in
a context that assumes an even number of values.
http://www.linuxsecurity.com/content/view/123110
* Mandriva: Updated freetype2 packages fixes multiple
vulnerabilities.
14th, June, 2006
The previous update introduced some issues with other applications
and libraries linked to libfreetype, that were missed in testing for
the vulnerabilty issues. The new packages correct these issues.
http://www.linuxsecurity.com/content/view/123127
* Mandriva: Updated gdm packages fix vulnerability
14th, June, 2006
A vulnerability in gdm could allow a user to activate the gdm setup
program if the administrator configured a gdm theme that provided a
user list. The user could do so by choosing the setup option from
the menu, clicking the user list, then entering his own password
instead of root's. The updated packages have been patched to correct
this issue.
http://www.linuxsecurity.com/content/view/123128
* Mandriva: Updated squirrelmail packages fix vulnerabilities
14th, June, 2006
A PHP remote file inclusion vulnerability in functions/plugin.php in
SquirrelMail 1.4.6 and earlier, if register_globals is enabled and
agic_quotes_gpc is disabled, allows remote attackers to execute
arbitrary PHP code via a URL in the plugins array parameter.
http://www.linuxsecurity.com/content/view/123155
* Mandriva: Updated libtiff packages fixes tiff2pdf vulnerability
14th, June, 2006
A buffer overflow in the t2p_write_pdf_string function in tiff2pdf in
libtiff 3.8.2 and earlier allows attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a TIFF file
with a DocumentName tag that contains UTF-8 characters, which
triggers the overflow when a character is sign extended to an integer
that produces more digits than expected in a sprintf call.
http://www.linuxsecurity.com/content/view/123156
* Mandriva: Updated spamassassin packages fix vulnerability
14th, June, 2006
A flaw was discovered in the way that spamd processes the virtual POP
usernames passed to it. If running with the --vpopmail and
--paranoid flags, it is possible for a remote user with the ability
to connect to the spamd daemon to execute arbitrary commands as the
user running spamd.
http://www.linuxsecurity.com/content/view/123157
* Mandriva: Updated sendmail packages fix remotely exploitable
vulnerability
15th, June, 2006
A vulnerability in the way Sendmail handles multi-part MIME messages
was discovered that could allow a remote attacker to create a
carefully crafted message that could crash the sendmail process
during delivery. The updated packages have been patched to correct
these issues.
http://www.linuxsecurity.com/content/view/123159
+---------------------------------+
| Distribution: Red Hat | ----------------------------//
+---------------------------------+
* RedHat: Moderate: mailman security update
9th, June, 2006
An updated mailman package that fixes a denial of service flaw is now
available for Red Hat Enterprise Linux 3 and 4. This update has been
rated as having moderate security impact by the Red Hat Security
Response Team.
http://www.linuxsecurity.com/content/view/123064
* RedHat: Important: mysql security update
9th, June, 2006
Updated mysql packages that fix multiple security flaws are now
available. This update has been rated as having important security
impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123065
* RedHat: Important: sendmail security update
14th, June, 2006
Updated sendmail packages are now available to fix a denial of
service security issue. This update has been rated as having
important security impact by the Red Hat Security Response Team.
http://www.linuxsecurity.com/content/view/123150
* RedHat: Important: kdebase security update
14th, June, 2006
Updated kdebase packages that correct a security flaw in kdm are now
available for Red Hat Enterprise Linux 4. This update has been rated
as having important security impact by the Red Hat Security Response
Team.
http://www.linuxsecurity.com/content/view/123151
+---------------------------------+
| Distribution: SuSE | ----------------------------//
+---------------------------------+
* SuSE: PostgreSQL SQL injection attacks
9th, June, 2006
Two character set encoding related security problems were fixed in
the PostgreSQL database server: CVE-2006-2313 and CVE-2006-2314.
http://www.linuxsecurity.com/content/view/123061
* SuSE: php4,php5 problems (SUSE-SA:2006:031)
14th, June, 2006
This update fixes the following security issues in the PHP scripting
language, both version 4 and 5: Invalid characters in session names
were not blocked, CVE-2006-2657.
http://www.linuxsecurity.com/content/view/123136
* SuSE: sendmail remote denial of service
14th, June, 2006
Updated package.
http://www.linuxsecurity.com/content/view/123149
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-request at linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
From isn at c4i.org Mon Jun 19 03:41:16 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 19 Jun 2006 02:41:16 -0500 (CDT)
Subject: [ISN] Laptop with City Employees' Info Stolen
Message-ID:
http://www.wjla.com/news/stories/0606/337194.html
June 18, 2006
Washington (AP) - Information on 13,000 D.C. government workers and
retirees has been stolen, along with the laptop computer where it was
stored.
Officials with ING Financial Services say the Social Security numbers
and other information on the employees were stored on computer that
was stolen from an ING employee's Southeast Washington home. ING
administers the District's retirement plan.
Company officials say the laptop was stolen on Monday but they didn't
notify the city about the theft until late Friday because they had to
figure out what information was stored on the computer.
The laptop was not protected by a password or encryption. ING alerting
all affected account holders to the risk of identity theft. The
company will set up and pay for a year of credit monitoring and
identity fraud protection.
City officials say they're concerned that the information was not
protected, and that the company waited so long to report it.
Copyright 2006 by The Associated Press.
From isn at c4i.org Mon Jun 19 03:41:35 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 19 Jun 2006 02:41:35 -0500 (CDT)
Subject: [ISN] Computer breach exposes WIU students' data
Message-ID:
http://www.pjstar.com/stories/061606/REG_BA4963CQ.033.shtml
BY JODI POSPESCHIL
OF THE JOURNAL STAR
June 16, 2006
MACOMB - A computer system breach at Western Illinois University
earlier this month has led to the possible compromise of student
information, including Social Security numbers, the school said
Thursday.
WIU officials said the school has "closed a breach in computer
security and adopted additional security measures" in response to a
June 5 incident. The school said the incident involved "data
security."
WIU spokesman John Maguire said Thursday the school has multiple
computer systems and one of them, which contains student information,
was breached.
The system houses not only Social Security numbers but also credit
card information for people who have made purchases online from the
school's bookstore or who have stayed at the University Union hotel.
"Checks (on the system) are made on a regular basis," Maguire said.
"During one of those checks the (problem) was noticed and immediately
fixed."
Maguire also said the school's academic records were not part of those
accessed.
"The grades and transcripts are secure," he said.
In a release issued Thursday, school officials said an investigation
doesn't show evidence that any records were copied from the school's
files. Even so, the school is still notifying anyone who has records
in the system that their files could have been viewed or copied.
WIU officials said they are reviewing all operations of the school's
computer systems.
Review by a campuswide technical group is being coordinated by Mitch
Davidson, executive director of the University Computer Support
Services.
"We are working diligently to ensure that the university computer
systems are as secure as possible, with the goal that this type of
breach doesn't occur again," Davidson said.
A letter to the campus community was put on the school's Web site. The
letter was written by W. Garry Johnson, WIU's vice president for
student services.
The letter reminds those with records in the system to protect against
identity theft.
Maguire said letters are being sent to anyone who had records in the
system.
Because of the criminal implications of the breach, school officials
said the WIU Office of Public Safety has been notified. WIU also has
set up a Web site to disseminate information about the issue at
www.wiu.edu/securityalert.
? 2006 PEORIA JOURNAL STAR, INC.
From isn at c4i.org Mon Jun 19 03:41:59 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 19 Jun 2006 02:41:59 -0500 (CDT)
Subject: [ISN] Encryption can save data in laptop lapses
Message-ID:
http://seattlepi.nwsource.com/business/1700AP_Laptops_Security.html
By STEPHEN MANNING
ASSOCIATED PRESS WRITER
June 17, 2006
ROCKVILLE, Md. -- Reports of data theft often conjure up images of
malicious hackers breaking into remote databases to filch Social
Security numbers, credit card records and other personal information.
But a lot of the time, the scenario is much simpler: A careless worker
at company or agency with weak security policies falls prey to a
low-tech street thug who runs off with a laptop loaded with private
data.
In the biggest case, the Department of Veterans Affairs recently lost
data on 26.5 million veterans and military personnel stored on a
laptop and external drive stolen from the suburban Washington home of
a VA employee.
Security experts and some privacy groups say simple measures could
protect data if a laptop falls into nefarious hands. They include
encrypting the information so it's nearly impossible to access without
the correct credentials.
"It is shocking how many of these are stolen laptops and that fact
that the users of the laptops did not use encryption to secure the
data," Beth Givens, director of the Privacy Rights Clearinghouse, said
of recent data losses. "If thieves read the newspaper, they can
readily figure out that they have got more than just a piece of
hardware."
Since June 2005, there have been at least 29 known cases of misplaced
or stolen laptops with data such as Social Security numbers, health
records and addresses of millions of people, according to the Privacy
Rights Clearing House, a San Diego-based nonprofit that tracks data
thefts.
So far, there is no evidence the stolen data were used for identity
theft or other nefarious purposes. In most cases, the laptop itself,
not the personal information on it, was the likely target of the
theft.
Sometimes, there's no good reason for why so much information is being
kept on individual machines that are designed to be carried out of the
office. In other cases, workers were allowed to have the data on the
laptops but didn't follow proper procedures for keeping it safe. In
others, they broke the rules by taking personal data out of the office
or not protecting it with digital tools.
Laptops have been stolen from cars, gone missing when checked for
airline flights, and been taken from offices and employee homes.
Hospitals, universities, consulting firms, banks, health insurers and
even a YMCA have lost personal data.
The portable computers are usually protected by passwords needed to
boot them up, but the data on their drives are still accessible.
Encryption, on the other hand, scrambles the information and would
render it useless to a thief without a digital key that decrypts the
data.
A variety of encryption tools are available, including software as
well as specialized chips.
But many people are reluctant to use them because losing the key can
make it hard to access the data and the programs can slow down data
access, said Alan Paller, director of research at the SANS Institute,
a computer-security organization in Bethesda.
That could change as computer manufacturers start selling laptops with
encryption built in. Microsoft's Windows Vista operating system, due
late this year for businesses and early next year for consumers, is
expected to make it easier for users to encrypt all their data.
Many states now require companies and organizations that store
personal information to inform the public when the data leaks. But
those laws generally don't make reporting obligatory if the lost data
were encrypted.
Some companies that have lost laptops are responding with better
security measures.
Ernst & Young, which has 30,000 laptops used by its highly mobile
staff of consultants, is encrypting all contents on the computers,
according to company spokesman Charlie Perkins.
But in February, as the policy was being implemented, a laptop that
hadn't been encrypted was stolen from an employee's car. With it went
the names, addresses, and credit card information of about 243,000
customers of Ernst & Young client Hotels.com. Perkins said there is no
evidence any of the data was misused.
"We evaluated our polices in this area across the board," he said.
"Encryption is the most significant step."
Of course, security measures can only work if they are actually used.
In several cases, laptops were lost or stolen when employees violated
company rules by leaving them in parked cars or in their homes. And
data that are supposed to be encrypted by an employee sometimes
aren't.
On June 2, grocery retailer Royal Ahold NV said contractor Electronic
Data Systems Corp. lost a laptop with personal information on an
undisclosed number of retirees and former workers of Ahold companies,
including grocery chains Stop & Shop and Giant Food.
The EDS worker was asked to check the laptop on a flight because the
plane's storage bins were full, according to EDS spokesman Kevin
Lightfoot. When the flight arrived, the laptop never reappeared. The
employee was disciplined for violating company policy by checking the
computer as luggage, Lightfoot said.
Since the incident, EDS has reminded its employees about rules on
handling laptops.
"You have to work with your employees to make sure this information is
protected," Lightfoot said.
In January, Ameriprise Financial, an investment advisory company, said
the internal account identification numbers of 158,000 clients were
lost when a laptop was stolen from an employee's car. The employee was
supposed to have encrypted the data, which was on two files, but had
not, according to Ameriprise spokesman Steven Connolly. The worker was
fired.
The VA plans to recall every laptop to make sure the security programs
are up to date. The data on the laptop taken from the suburban
Washington home were in a form difficult for an outsider to use, and
authorities believe thieves may have erased the information before
selling the hardware.
But that doesn't satisfy August Woerner, an 80-year-old World War II
veteran from Westerly, R.I. He received a letter from the VA saying
his data may be on the laptop because of a claim he filed several
years ago at a VA medical center.
Woerner takes every precaution he can to shield personal information -
he checks his credit rating online regularly, shreds financial
documents and monitors the balance of his credit card nearly every
day. Despite his diligence, he is convinced someone will steal his
identity soon.
"I do the best I can, but I can't very well fight this theft," said
Woerner. "That data should not be readily available by someone simply
walking it out of a building."
?1996-2006 Seattle Post-Intelligencer
From isn at c4i.org Mon Jun 19 03:44:09 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 19 Jun 2006 02:44:09 -0500 (CDT)
Subject: [ISN] UBS Trial: Parts of Attack Code Found At Defendant's Home
Message-ID:
http://www.informationweek.com/news/showArticle.jhtml?articleID=189500138
By Sharon Gaudin
InformationWeek
June 16, 2006
Newark, N.J. --- Efforts by the defense in the UBS PaineWebber
computer sabotage trial to foist blame elsewhere, took a hit Friday,
after testimony from a U.S. Secret Service agent revealed that parts
of the code used to bring down the UBS network four years ago, was
found on two of the defendant's home computers, as well as in a
hardcopy printout lying on top of his bedroom dresser.
The Secret Service testimony ended what had been a week of contentious
arguments on a strong note for the prosecution
Secret Service agents executed a warrant and searched the Bogota, N.J.
home of Roger Duronio, on March 21, 2002 -- 17 days after the
financial giant was hit by what prosecutors are calling a logic bomb.
The segment of coding found in his home was part of the 50 to 70 lines
of malicious code that was used to take down about 2,000 servers,
including UBS' main host server in its Weehawkin, N.J. data center,
along with branch servers in about 370 offices around the country in
the March 4, 2002 incident.
Duronio, 63, is facing four federal criminal charges, including
computer sabotage, securities fraud and mail fraud. The government
contends he crippled the company's network in a vengeful plot aimed at
making money by buying stock options that would pay off if the
company's stock dropped " something he allegedly tried to make happen
by shutting down UBS' ability to do business for anywhere between a
day and several weeks, depending on the location.
While cross-examining other witnesses in court this past week, Chris
Adams, Duronio's defense attorney hammered away at what he's calling
significant weaknesses in UBS' security. He says the network was
riddled with holes that could have allowed a hacker or another system
administrator to plant the malicious code.
Adams has thrown a slew of possible who-done-it theories at the jury,
including repeated suggestions that the damage was caused by Cisco
Systems, Inc. during a planned penetration test of the UBS network
that month, or that there was some impropriety by @Stake, Inc., the
first forensic team called in on the case.
However, in his testimony Thursday, Secret Service Special Agent
Gregory O'Neil said all trails led to Duronio.
He told the jury that a team of 14 agents conducted the four-hour
search that led them to a folded up piece of paper with scribbles on
the back of it. The paper, which sat on the dresser in Duronio's
master bedroom, had the code for the logic bomb's trigger mechanism
printed out on it.
O'Neil said several pieces of the coding on the paper quickly jumped
out at him: mon; hour >= 9; min >= 30; mrm.
''I knew UBS' computer system had gone down on a Monday at 9:30 [a.m.]
and I knew 'mrm' was identified as part of the malicious code,'' he
told the jury. ''It was the source code for the trigger of the logic
bomb.'' There was a line at the very top of the printout:
wait_tst.c.txt. Agent O'Neil also said the Secret Service seized four
computers from Duronio's home that day. They subsequently found the
wait_tst.c.txt file on two of the seven hard drives that were
contained in the four machines. The code on the computer files was the
''identical'' chain of code that had been found printed out in the
bedroom, he testified. Earlier in the week, the defense took two runs
at Rafael Mendez, who was UBS' division vice president for network
services at the time of the attack.
Adams, who is a partner at Walder, Hayden & Brogan in Roseland, N.J.,
pointed out repeatedly that in 2001 and 2002, UBS' security
configuration allowed more than one person to log onto the system at
the exact same time using the exact same user ID and password. He also
pounded on the fact that root users all had the same root password.
Adams asked Mendez if a root user had the ability to edit a VPN log,
and Mendez said it could be done if the user had a ''specialized tool
set.''
Alan Paller, director of research at the SANS Institute, said in an
interview that having root users share a password isn't a good
security practice, but it's far from being uncommon.
''One company that's a household word in America has thousands and
thousands of servers, and one root password,'' said Paller. ''The
systems administrator lives in a world where that is common. It's
common because, historically, on Unix systems there was only one root
account, and if three people wanted to manage a machine, they had to
be root to do it.''
As for multiple users being able to log onto the system with the same
ID and password at the exact same time, Paller said it's a problem,
but again not one that's unique to UBS.
''It's a characteristic of Unix,'' he said. ''It's not a
characteristic of UBS. You could have a policy to stop it but it's
efficient for multiple people doing a lot of work.''
During re-direct, Assistant U.S. Attorney Mauro Wolfe, the lead
prosecutor on the case, pointed out that many of the security problems
that the defense was bringing up had been noted in a Year 2000 audit
report, two years before the attack on the company's network. Mendez
said the document specified that the password and user account
administration issues, for example, would be assessed a few months
after the report was released.
However, on re-cross examination, Adams asked Mendez if another audit
report had been done to show that the problems had been fixed. Mendez
said he did not know of any.
Adams then noted that the Post Mortem report on the attack, found that
the UBS ''security group lacks power and resources''. He also noted
that the report said, ''We know that there were problems with security
but the reason we did not get to them was lack of resources and lack
of organization...Productivity outweighed security.''
Adams also pointed to UBS' web-based applications, asking Mendez if
security was as tight around accessing them, compared to accessing the
company's VPN and internal network. Mendez agreed that security wasn't
as tight for web apps, but later, on redirect, he noted that the
web-based applications don't offer users access to the company's main
host server or branch servers, which are protected by UBS perimeter
defenses.
The defense also turned its attention on two companies outside of UBS
PaineWebber.
Over the course of cross-examining several witnesses, Adams repeatedly
brought up the point that former hackers work at @Stake, Inc., the
company that UBS initially brought in to do forensic work immediately
after the incident. ''Are hackers good people?'' he asked. ''Are
hackers reliable?''
The research labs in @Stake, which was bought by Symantec, Corp. in
2004, were headed up by Peiter C. Zatko (also known in the industry as
Mudge), the former CEO and chief scientist of the L0pht, a
high-profile hacker think tank. Mudge, however, worked his way into
the legitimate business world, testifying before a Senate Committee on
Government Affairs, and counseling President Clinton in the White
House on security issues.
Mendez testified that other Wall Street firms had recommended several
forensic companies, including @Stake, to UBS after their servers were
taken down. In 2004, Mudge reportedly became a division scientist
working at government contractor, BBN Technologies.
''In my opinion, it's generally a bad idea to bring in old hackers
because they have habits that are hard to break,'' said Paller in a
separate interview. ''From that perspective, they would be a bad bet
for analysis of a company's security. But for forensics, they are
often the best idea. There's the old statement about 'it takes one to
know one'. Somebody who has broken into computers is more likely to
see the evidence of a break-in. For forensics, when they are tightly
managed, it's a great idea.''
The defense also took several stabs at suggesting that Cisco Systems,
a networking industry giant, might have been responsible for taking
down the UBS network during a penetration test that was ongoing during
the March 4, 2002 incident.
Never actually coming out and accusing Cisco directly of the
take-down, Adams repeatedly asked witnesses if they knew that Cisco
had been hired to do the penetration test between February and March
of 2002.
''Would it have been helpful to know Cisco was trying to test and
bring down the network and operations?'' Adams asked Rajeev Khanna,
manager for UBS's Unix Systems Group at the time of the attack. Khanna
replied that he did not know about the test at the time.
In a written statement to InformationWeek.com, a spokesman for Cisco
said, ''While Cisco does not disclose details of the work we perform
for our customers, we are unaware of any issues related to any service
Cisco has performed for UBS.''
Copyright ? 2005 CMP Media LLC
From isn at c4i.org Mon Jun 19 03:44:20 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 19 Jun 2006 02:44:20 -0500 (CDT)
Subject: [ISN] Network analysis, OmniPeek Personal released
Message-ID:
http://www.omnipeek.com
WildPackets, Inc. has released a free personal edition of their
OmniPeek product - a full-featured wired and wireless packet analyzer.
In addition a number of free plug-ins have been made available (with
source code) one for distributed network analysis, a Google Maps
plugin, and the ability to save packet captures to SQL databases.
From isn at c4i.org Mon Jun 19 03:44:43 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 19 Jun 2006 02:44:43 -0500 (CDT)
Subject: [ISN] Web used to lure terror suspects
Message-ID:
Forwarded from: William Knowles
http://www.thestar.com/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_Type1&c=Article&cid=1150494610771&call_pageid=968332188492
By SANDRO CONTENTA
EUROPEAN BUREAU
June 17, 2006
LONDON - On a cold night last October, police stormed a West London
apartment and found Younis Tsouli at his computer, allegedly building
a Web page with the title "You Bomb It."
Initially, the raid seemed relatively routine, one of about 1,000
arrests made under Britain's terrorism act during the last five years.
The more eye-popping evidence was allegedly found in the London-area
homes of two accused co-conspirators: a DVD manual on making suicide
bomb vests, a note with the heading "Welcome to Jihad," material on
beheadings, a recipe for rocket fuel, and a note with the formula
"hospital = attack."
But as investigators sifted through computer disk information the
picture that emerged was dramatic. Police had apparently stumbled on
the man suspected of being the most hunted cyber-extremist in the
world.
Tsouli, a 22-year-old Moroccan, is being widely named as a central
figure in a cyber-terrorist network that has inspired suspected
homegrown extremists in Europe and North America, including the 17
people recently arrested in the Toronto area.
The massive, 750 gigabytes of confiscated computer and disk
information - an average DVD movie is 4.7 gigabytes - found on
Tsouli's computer files is an Internet trail believed to link some of
the 39 terror suspects arrested in Canada, Britain, the United States,
Sweden, Denmark and Bosnia over the past eight months.
A source with close knowledge of the Tsouli case has told the Toronto
Star of evidence that he used the Web address Irhabi007 ? the
cyber-persona of the most notorious extremist hacker on the World Wide
Web.
"Irhabi007 was like the Godfather of cyber-terrorism for Al Qaeda,"
says Evan Kohlmann, an Internet terrorism consultant and determined
Irhabi tracker. Since coming on the cyber-extremist scene in late
2003, Irhabi's Internet exploits have become the stuff of legend for
the scores of militants reading and chatting on Al Qaeda-inspired
sites.
He almost single-handedly brought the hardcore network into the modern
computer age, solving its most pressing propaganda challenge - how to
distribute heavy multi-media files, such as videos of beheadings, to
the growing ranks of jihadis.
A self-starter believed to have worked mainly from his home, he hacked
and linked his way to become the administrator of the
password-protected forum, Muntada al-Ansar al-Islami, the main
Internet mouthpiece of Abu Musab al-Zarqawi, Al Qaeda's leader in Iraq
until he was killed last week by a U.S. aerial attack.
But his downfall has been as dramatic as his rise.
Says Aaron Weisburd, another Irhabi tracker: "While he was at large,
he was a leader, an opinion-shaper, a solver of problems, and an
inspiration to his friends and associates. Now that the authorities
have him and his hard disk drive, he has become a major liability."
The London-area raid resulted in terrorism related charges against
Tsouli, Waseem Mughal, 22, and Tariq Al-Daour, 19.
Their trial is expected to begin in January.
Among the items allegedly found in Tsouli's computer is a video slide
film on how to make a bomb and another showing sites in Washington,
D.C. The images of the American capital were reportedly filmed by two
Georgia men arrested by the FBI in March and accused in U.S. court
documents of having travelled to Toronto to meet "like-minded
Islamists."
Tsouli immigrated to London four years ago. At the time of his arrest,
his father said Tsouli spoke often of the West waging a war against
Islam. Bachir Tsouli, then deputy head of Morocco's tourism office in
London, said his son had few friends and spent most of his time at his
computer.
"What can you do on the computer?" Bachir, 60, told the Daily Mail
newspaper. "He hasn't been to Iraq or to training camps in
Afghanistan. Tomorrow they will be saying he is a friend of Osama bin
Laden."
No one has accused him of that, but experts who tracked Irhabi007
believe he had links to al-Zarqawi, credited with having turned the
Web into a powerful tool for global jihad.
During the past two years, al-Zarqawi's followers produced scores of
videos on suicide bombings, attacks against U.S. forces in Iraq,
beheadings of hostages, propaganda tracts and terrorist "how to"
manuals.
The problem was distribution - how to post and move heavy files on the
Internet without sites crashing or being shut down. Irhabi007 met the
challenge.
In May 2004, he helped distribute the video of al-Zarqawi's beheading
of American contractor Nicholas Berg. It was quickly copied on
Internet sites and downloaded half a million times within 24 hours.
"He got his name on the map with the Nicholas Berg beheading video,"
says Ned Moran, intelligence analyst with the Virginia-based,
Terrorism Research Center.
Irhabi007's distribution technique became clear two months later, when
he hacked into a FTP computer site used to transfer big files by the
Arkansas Highway and Transportation Department.
He posted 70 jihadi propaganda files on the site, including videos
featuring Osama bin Laden. He then posted links to the files on the
Muntada site and urged jihadis to download quickly. Arkansas
authorities didn't catch on until 24 hours later. By then, the
material had replicated exponentially, with those who downloaded it
passing it on to others in an almost endless chain.
Irhabi (the word means "terrorist" in Arabic) was using skills largely
unknown in the cyber-jihadi world. And he spread them around, posting
his own hacking manuals for a new generation of more computer-savvy
jihadis increasingly using the Internet as a tool to recruit and plot
attacks.
Irhabi wannabes suddenly began appearing on chat forums, tagging 007
at the end of their Web personas. On October 2004, his status in their
eyes reached heroic proportions. He provided almost immediate links to
a suicide bombing video posted by Abu Maysara al-Iraqi, widely
considered one of al-Zarqawi's closest aides. The initiative led
Maysara to break silence for the first time and post praise for
Irhabi007's work, Kohlmann says.
"Bless the terrorist, Irhabi007," said the message, translated by
Kohlmann, founder of globalterroralert.com. "In the name of Allah, I
am pleased with your presence my beloved brother. May Allah protect
you."
Says Kohlmann: "It's kind of like Bruce Springsteen picking someone
out in a concert and saying, `I love this guy.' That's what the effect
was - people went crazy."
In September 2005, a Terrorist Research Center report described
Irhabi007 as "heavily involved in maintaining Al Qaeda's on-line
presence."
It found evidence on al-Zarqawi's Al-Ansar site listing Irhabi as its
"administrator." The speed with which Irhabi posted links to videos
from al-Zarqawi's Iraqi cell led observers to speculate he was getting
a heads up from al-Zarqawi's people.
He's suspected of stealing identities to register his websites. His
http://www.irhabi007.org domain name was registered to the name,
telephone number and Pennsylvania home address of a first lieutenant
deployed in Iraq, according to the centre's report. He also registered
a Canada-based domain name, http://www.irhaby007.ca.
By the end of 2005, Irhabi007 had a whole army of cyber-terrorism
trackers on his tail. Few were as persistent as Aaron Weisburd,
director of Internet Haganah, dedicated to making on-line life
miserable for cyber-jihadis.
In 2004, Weisburd turned in Irhabi to his service provider and got him
cut off. An incensed Irhabi posted Weisburd's home address in Illinois
on the Internet and took part in chat-room discussions on slicing
Weisburd like a salami.
"I get to keep a finger or an ear," Irhabi wrote, "a little souvenir."
Weisburd reported the threat to the FBI and stepped up his efforts. "I
take all threats seriously," he said in an email exchange with the
Toronto Star. "And like any American `good ole boy' I have more than
one loaded gun nearby."
In July that year, Irhabi made his first mistake, leaving his IP
(Internet Protocol) address ? which can be used to track a user's
location - on a site he was setting up to post a threat against Italy.
Weisburd examined another Irhabi Web page and found a second IP
address. He then posted a message on the Haganah site warning that
Irhabi's files were infected.
Irhabi responded by posting a graphic to prove they were not. His IP
number was blotted out, but not well enough. Weisburd's associate made
it out.
The three IP addresses all pointed to London's Ealing area ? the place
where Tsouli would be arrested 15 months later. Weisburd passed the
information on to U.S. and British police but heard nothing back.
In September 2005, a month before Tsouli's arrest, a frustrated
Weisburd posted this message on his site: "Irhabi007 is in Ealing. Or
at least that's where the bastard was when we located him (18 months
ago)."
Since Tsouli's arrest, Weisburd says police have asked him to resubmit
the information he passed on months before.
The events that led to the arrest of the presumed Irhabi began with
police forcing their way into an apartment in Sarajevo on Oct. 19,
arresting 18-year-old Swedish citizen Mirsad Bektasevic and Abdul
Kadir Cesur, a 20-year-old Danish-born Turk.
Almost 20 kilograms of explosives were in the apartment, according to
the indictment filed in a Sarajevo court. A Sony VHS tape also found
gives instructions on how to make a bomb.
Says a voice on the tape, believed to be that of Bektasevic: "These
brothers are ready to attack and, God willing, they will attack the
infidels who are killing our brothers and Muslims in Iraq,
Afghanistan. This weapon will be used against Europe, against those
whose forces are in Iraq and Afghanistan."
Their arrests sparked back-to-back raids in London and Denmark, where
a total of nine men were arrested, including Tsouli. The last number
dialled on his cellular phone was Bektasevic's Bosnian number three
days earlier, according to the Star's source. Since then, arrests have
also been made in the U.S., Canada, Britain and Sweden.
Postings on the Internet by Irhabi007 stopped with Tsouli's arrest.
*==============================================================*
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*
From isn at c4i.org Mon Jun 19 03:44:54 2006
From: isn at c4i.org (InfoSec News)
Date: Mon, 19 Jun 2006 02:44:54 -0500 (CDT)
Subject: [ISN] Suspected Chinese hacker attacks target AIT, MND
Message-ID:
http://www.taipeitimes.com/News/taiwan/archives/2006/06/19/2003314414
STAFF WRITER
June 19, 2006
The American Institute in Taiwan (AIT) and the Ministry of National
Defense (MND) were both recently targeted by computer hackers believed
to be based in China, Defense News reported last week.
The report cited anonymous AIT and defense ministry sources, who said
the attackers were believed to have been China-based hackers looking
to spread misinformation.
On June 5, a hacker sent an e-mail to the media with an attachment
containing a fake press release from the military spokesman's office,
the report said. The release described a meeting between People First
Party mem-bers and ministry officials, and was riddled with
distortions and lies, Defense News reported last Tuesday.
Shortly after the e-mail was sent out, officials scrambled to warn
local media not to download any attachments purportedly sent from the
ministry.
Some outlets had already reported the story, but others sought
confirmation from officials and were told that that the e-mails were
part of a smear campaign targeting the ministry, the Defense News
report said.
"Our computer was [infected] by a virus. That virus sent a news
release to the media. Some of the information [in the release] was
incorrect," a ministry source reportedly told Defense News.
The report also stated that the account number and password of the
ministry's Web mail system, operated by Chunghwa Telecom, were stolen
by hackers.
So frequent and serious are cyber attacks against government agencies
that the Straits Exchange Foundation, which handles cross-strait
communications with China, issued a letter of complaint to China in
2003, the report said, adding that China did not respond to the
complaint.
Private companies also routinely come under attack by China-based
hackers, making Taiwan the most hacked country in the world, according
to a Central News Agency report in April. The Defense News report
cited local media claims that the nation suffered 250,000 cyber
attacks between 1996 and 2000.
China's People's Liberation Army is widely believed to have a special
unit devoted to information warfare and computer hacking.
Copyright ? 1999-2006 The Taipei Times. All rights reserved.
From isn at c4i.org Tue Jun 20 02:16:40 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 20 Jun 2006 01:16:40 -0500 (CDT)
Subject: [ISN] Phishing scam uses PayPal secure servers
Message-ID:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001247
By Peter Sayer
IDG News Service
June 16, 2006
A cross-site scripting flaw in the PayPal Web site allows a new
phishing attack to masquerade as a genuine PayPal log-in page with a
valid security certificate, according to security researchers.
Fraudsters are exploiting the flaw to harvest personal details,
including PayPal log-ins, Social Security numbers and credit card
details, according to staff at Netcraft Ltd., an Internet services
company in Bath, England. The PayPal site, owned by eBay Inc., allows
users to make online payments to one another, charged to their credit
cards, and log-in credentials for the service are a prized target of
fraudsters.
The attack works by tricking PayPal members into following a
maliciously crafted link to a secure page on PayPal's site. Anyone
thinking to check the site's security certificate at this point will
see that it is a valid 256-bit certificate belonging to the site,
Netcraft employee Paul Mutton wrote in the company's blog on Friday.
However, the URL (uniform resource locator) exploits a flaw in
PayPal's site that allows the fraudsters to inject some of their own
code into the page that is returned, he wrote. In this case, the
result is a warning that the user's account may have been compromised,
and that they "will now be redirected to Resolution Center." The page
to which they are redirected asks for their PayPal account details --
but thanks to the cross-site scripting flaw in the PayPal site, and
the data injected into the URL by the fraudsters, the page is no
longer on the PayPal site. Instead, the page steals the log-in details
and sends them to the fraudsters' server, then prompts the user for
other personal information, Mutton said.
The Web server harvesting the personal details is hosted in Korea,
Mutton said.
The cross-site scripting technique makes the phishing attempt
difficult to detect, said Mike Prettejohn, also of Netcraft.
If the malicious link arrived by e-mail, then "there would be clues in
the mail that it's not genuine," he said. "It's a technique chosen by
fraudsters because it is hard to spot."
Although there could be benign uses of cross-site scripting to
transfer data between sites, the technique has an inherent security
risk, Prettejohn said. "I don't think people would intentionally use
it," he said.
"If somebody knows there's a cross-site scripting opportunity on their
site, the right thing to do would be to fix it," he said.
Staff at PayPal could not immediately be reached for comment.
From isn at c4i.org Tue Jun 20 02:16:57 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 20 Jun 2006 01:16:57 -0500 (CDT)
Subject: [ISN] Stratcom leads DOD cyberdefense efforts
Message-ID:
Forwarded from: William Knowles
http://www.fcw.com/article94954-06-19-06-Web
By Josh Rogin
June 19, 2006
Information sharing and protection is a crucial front in the war on
terrorism. Consequently, the Strategic Command (Stratcom) is leading
Defense Department efforts to create a virtual environment, including
nonstop virtual meetings and blogging so warfighters can disseminate
information across locations, commands and rank securely and in real
time.
Lt. Gen. Robert Kehler, deputy commander of Stratcom, explained these
efforts in a keynote speech at AFCEA International's TechNet
International 2006 conference today in Washington, D.C.
"Unfortunately for us, cyberterrorism is cheap, and it's fast," Kehler
said. "Today's terrorist moves at the speed of information."
Cyberterrorism is anonymous and far-reaching. Government, corporate,
personal, public works and airline computers are all attractive
targets that cyberterrorists could attack remotely.
To that end, Stratcom's top priority is to speed the transformation of
DOD into a network-centric force in which all commands are
interconnected and secured. "Information sharing is a strategic
advantage," Kehler said.
"Achieving the full potential of net-centricity requires viewing
information as an enterprise to be shared and as weapons system to be
protected," the 2006 Quadrennial Defense Review states.
Stratcom is also the lead operator of the Global Information Grid,
which aggregates all interconnected and secure DOD information
systems. The command seeks to implement 24-hour, real-time
communications from generals to warfighters while protecting those
communications from adversaries.
The latest innovation is Strategic Knowledge Integration, known as
SKI-web. Part of Stratcom's classified network, SKI-web functions as a
never-ending virtual operation and intelligence meeting. "It is the
key tool that the senior leadership uses to stay abreast of events
unfolding throughout the command and the world, in real time," Kehler
said.
Blogging is one of the ways SKI-web allows users to contribute to
discussions. Every command member, regardless of rank, can blog on
issues that affect them, eliminating the vetting process of command
bureaucracy. "We have a command chain at Stratcom, not an information
chain," Kehler said. All command levels receive information at the
same time, creating an "infosphere" inside which command is exercised,
he said.
Changing the culture of information sharing is the most difficult step
toward using technology to better distribute and protect information,
Kehler said. "The first step in sharing information is the realization
that you must, can and will share it," he said.
*==============================================================*
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*
From isn at c4i.org Tue Jun 20 02:17:22 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 20 Jun 2006 01:17:22 -0500 (CDT)
Subject: [ISN] SCADA industry debates flaw disclosure
Message-ID:
http://www.theregister.co.uk/2006/06/19/scada_flaw_debate/
By Robert Lemos
SecurityFocus
19th June 2006
The outing of a simple crash bug has caused public soul-searching in
an industry that has historically been closed-mouthed about its
vulnerabilities.
The flaw, in a particular vendor's implementation of the Inter-Control
Centre Communications Protocol (ICCP), could have allowed an attacker
the ability to crash a server.
Yet, unlike corporate servers that handle groupware applications or
websites, the vulnerable server software - from process-control
application maker LiveData - monitors and controls real-time devices
in electric power utilities and healthcare settings. The best known
types of devices are supervisory control and data acquisition (SCADA)
devices and distributed control system (DCS) devices.
A crash becomes a more serious event in those applications, said Dale
Peterson, CEO of Digital Bond, the infrastructure security firm that
found the flaw.
"These are what you would consider, in the IT world, critical
enterprise applications. But the companies don't act like these are
critical enterprise applications."
LiveData maintains that the flaw is a software bug, not a security
vulnerability, pointing out that it only affects how the LiveData ICCP
Server handles a non-secure implementation of the communications
protocol - typically used only in environments not connected to a
public network.
"In general, SCADA networks are run as very private networks,"
LiveData CEO Jeff Robbins said. "You cannot harness an army of public
zombie servers and attack them, because they are not accessible."
The incident has touched off a heated debate among a small collection
of vulnerability researchers, critical infrastructure security experts
and the typically staid real-time process control systems industry.
The controversy mirrors the long-standing dispute between independent
researchers and software vendors over disclosing vulnerabilities in
enterprise and consumer applications.
In that industry, researchers have taken Apple, Oracle, Cisco and
Microsoft to task at various times over the last year for the
perception that the companies were not responding adequately to
reports of flaws in their software products.
Last week, at the Process Control System Forum (PCSF), a conference on
infrastructure management systems funded by the US Department of
Homeland Security, a similar debate played itself out. Perhaps three
dozen industry representatives and security researchers met during a
breakout session to hash out the issues involving disclosure. The tone
became, at times, contentious, said Matt Franz, the moderator at
conference panel on the topic and a SCADA security researcher with
Digital Bond.
"The vendors were sticking together saying that (researchers) didn't
need to be involved with SCADA flaws," he said. "'It puts people and
infrastructure in danger,' they said."
Moreover, many vendors did not appreciate the involvement of the US
Computer Emergency Readiness Team (US-CERT), the nation's response
group tasked with managing the process of vulnerability remediation
for critical infrastructure, Franz said.
The LiveData flaw was the first flaw in SCADA systems handled by
US-CERT and the CERT Coordination Centre, the group that manages the
national agency. While valuable as a learning experience, the entrance
of a third party into the disclosure of a flaw in an infrastructure
system brought up more questions than answers. At the PCSF session,
many vendors voiced concerns over involving a third party.
"I did not come away with a feeling that any issues were settled,"
said Art Manion, internet security analyst for the CERT Coordination
Centre and a participant in the discussion at the conference.
The debate over how disclosure should be handled underscores both the
intense focus on SCADA and DCS systems as potential targets of
cyberattacks and the position of many companies in the real-time
process control systems industry that vulnerabilities in such systems
require special treatment.
"In security circles, it is widely discredited that you can secure
something though obscurity - yet SCADA systems are really obscure,"
LiveData's Robbins said. "That is not a statement of a principle of
security and doesn't rationalise anything, but is a fact."
Even SCADA security specialists agree that obscurity can raise the
hurdle enough to keep most online attackers from jumping into SCADA
systems.
"There are some legacy systems out there running plants that are more
secure than many latest and greatest systems, because they are not
connected to the internet or they are using obscure standards," said
Ernest Rakaczky, program director for process control systems at
infrastructure firm Invensys.
That's true - at least to an extent, said CERT Coordination Centre's
Manion.
"The information on these systems can be found by a determined
attacker," he said. "Part of our outreach is to show that people can
find out about these things and find vulnerabilities."
Consultants who have done penetration testing and security audits of
real-time process control systems tell grim stories about the lack of
security in the systems. Data is transfered with no encryption using
protocols, such as Telnet and FTP, that are being phased out in other
industries; many firewalls have ports opened to any traffic; and, many
workstations still run Windows NT, said Jonathan Pollet, vice
president and founder of PlantData Technologies, a division of
infrastructure security company Verano.
"The guys who are setting up these systems are not security
professionals," he said. "And many of the systems that are running
SCADA applications were not designed to be secure - it's a hacker's
playground."
For between five and 10 per cent of the networks audited by PlantData,
a single ping attack or a data flood aimed at a SCADA system could
shut down most of the managed devices, Pollet said.
Yet, security researchers acknowledge that the software that monitors,
manages and runs the variety of manufacturing and infrastructure
control systems is indeed different. While researchers can hold the
threat of public disclosure over the heads of an uncooperative
software maker in the enterprise application arena, publicly outing a
flaw in a SCADA or DCS system has larger ramifications, Pollet said.
"You have to be careful disclosing these issues to the public when the
vendors seem uninterested in talking about the problem, because these
systems cannot be patched overnight and the information could prove
devastating in the wrong hands."
Moreover, software vendors and infrastructure operators legitimately
need more time because most of the industry's legacy systems were not
created to be easily updated.
And, to be fair, LiveData's response to the first SCADA vulnerability
handled by a third party - about three to six months for a fix and
less than nine months for notification - is in line with the response
from many enterprise and commercial software makers. Not bad for an
industry that has not had a history of third-party vulnerability
disclosure, said Digital Bond's Franz.
"The idea that someone outside their customer base would have access
to their product to find vulnerabilities is strange to them," said
Franz, who created an interest group within the Process Control
Systems Forum to hash out the issues.
Security researchers are not the only ones applying pressure to
software developers in the SCADA and DCS industry. The software
maker's customers - infrastructure owners and operators - are starting
to demand proof of security audits, especially in the power industry
where companies are required by a recent law to adhere to the Critical
Infrastructure Protection (CIP) guidelines published by the North
American Electric Reliability Council (NERC).
"The difference that a few months has made is absolutely incredible,"
said Lori Dustin, vice president of marketing and services for
infrastructure security company Verano. "The people I'm meeting with
now have a copy of the NERC documents in their hands."
While many in the real-time process control industry might not agree,
Invensys's Rakaczky stresses that allowing US-CERT to bring other
industries' vulnerability reporting practices to the bear on
infrastructure issues should help reduce communications problems and
increase trust.
"People will respond faster than if some random white hat calls them
up out of the blue," he said.
But, while vendors work with US-CERT and focus on improving product
security, infrastructure owners need to move more quickly to prevent
unauthorised access to their systems from the internet and implement
more strict auditing, Rakaczky said.
"Right now, we need perimeter protection," he said. "We need to stop
the wound from bleeding before we can heal it."
This article originally appeared in Security Focus.
Copyright ? 2006, SecurityFocus
From isn at c4i.org Tue Jun 20 02:17:42 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 20 Jun 2006 01:17:42 -0500 (CDT)
Subject: [ISN] Hello,
is this Gov. Minner's secret hot line? Have we got a deal for you
Message-ID:
http://www.delawareonline.com/apps/pbcs.dll/article?AID=/20060616/NEWS/606160329/1006
By JENNIFER BROOKS
News Journal Washington Bureau
06/16/2006
WASHINGTON -- For a governor with a secret hot line to the Department
of Homeland Security, the only thing worse than hearing that phone
ring, is answering the call and hearing:
"Hello! Are you satisfied with your long-distance service provider?"
"Every time that phone rings, it's telemarketers," grumbled Gov. Ruth
Ann Minner, whose secret homeland defense hot line sits in her office,
ringing occasionally with offers of time share condominiums and great
deals on long distance.
"I wonder about the security of that line," said Minner, noting that
other governors have reported similarly unwelcome intrusions on the
hot line phones that are supposed to ring only in the event of a
national catastrophe.
Minner, who sits on a homeland security advisory panel of the National
Governors' Association, mentioned the annoying phone calls Thursday on
a visit to Washington.
The problem, Minner said, seems to be the random-number generators
that telemarketers use.
So what's a governor to do? According to Minner's office, the
Department of Homeland Security placed all the hot line numbers on the
federal government's Do Not Call Registry, which is supposed to ward
off telemarketers.
The Department of Homeland Security did not return calls for comment.
Copyright ? 2006, The News Journal.
From isn at c4i.org Tue Jun 20 02:17:54 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 20 Jun 2006 01:17:54 -0500 (CDT)
Subject: [ISN] Microsoft Posts Excel 'Zero-Day' Flaw Workarounds
Message-ID:
http://www.eweek.com/article2/0,1895,1978835,00.asp
By Ryan Naraine
June 19, 2006
Microsoft's security response center is recommending that businesses
consider blocking Excel spreadsheet attachments at the network
perimeter to help thwart targeted attacks that exploit an unpatched
software vulnerability.
The Redmond, Wash., software giant published a pre-patch advisory on
June 19 with a list of workarounds that include blocking Excel
file-types at the e-mail gateway.
File extensions associated with the widely deployed Microsoft Excel
program are: xls, xlt, xla, xlm, xlc, xlw, uxdc, csv, iqy, dqy, rqy,
oqy, xll, xlb, slk, dif, xlk, xld, xlshtml, xlthtml and xlv.
The company's guidance comes just a few days after public confirmation
that a new, undocumented Excel flaw was being used in an attack
against an unidentified business target.
The attack resembles a similar exploit that targeted Microsoft Word
users, prompting suspicion among security researchers that the attacks
may be linked.
The Excel attack includes the use of Trojan horse program called
Trojan.Mdropper.J that arrives as an Excel spreadsheet with the file
name "okN.xls."
When the Trojan is executed, it exploits the Excel flaw to drop and
execute a second piece of malware called Downloader.Booli.A. It then
silently closes Microsoft Excel.
Downloader.Booli.A attempts to run Internet Explorer and inject its
code into the browser to bypass firewalls. It then connects to a
remote Web site hosted in Hong Kong to download another unknown file.
In the latest advisory, Microsoft confirmed that the vulnerability
exists in Excel 2003, Excel Viewer 2003, Excel 2002, Excel 2000,
Microsoft Excel 2004 for Mac, and Microsoft Excel v. X for Mac.
Excel 2000 users are at highest risk because the program does not
prompt the user to Open, Save, or Cancel before opening a document.
Other versions of the software present a warning before a file is
opened, Microsoft said.
The company insists that a user must first open a malicious Excel file
attached to an e-mail or otherwise provided to them by an attacker to
be at risk.
The flaw is described as "improper memory validation" in Excel that
occurs only when the program goes into repair mode.
Microsoft also recommends that businesses using Excel 2003 prevent
Excel Repair mode by modifying the ACL (Access Control List) in the
Excel Resiliency registry key.
Detailed instructions can be found in the advisory.
Microsoft said businesses should also consider blocking the ability to
open Excel documents from Outlook as attachments, Web sites and the
file system directly.
This can be done by removing the registry keys that associate the
Excel documents with the Excel application.
As best practice, the company said Excel users should remember to be
very careful opening unsolicited attachments from both known and
unknown sources.
From isn at c4i.org Tue Jun 20 02:18:14 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 20 Jun 2006 01:18:14 -0500 (CDT)
Subject: [ISN] UK's first computer hacking degree launched
Message-ID:
http://software.silicon.com/security/0,39024655,39159714,00.htm
By Andy McCue
19 June 2006
A degree course in computer hacking has been launched by a Scottish
university in response to industry demand for IT security experts.
The University of Abertay in Dundee will run the BSc (Hons)
undergraduate course in Ethical Hacking and Countermeasures from the
start of the next academic year in October.
Around 30 places are available on the course, which the university
says will provide a graduate with knowledge of how illegal computer
attacks can be performed and how they can be stopped.
The university prospectus said: "In the same way that police
detectives need to know how thieves can steal, computer systems
administrators need to know what hackers can do."
The university said it has launched the degree course in response to
demand from industry for people with the skills to test the security
of corporate IT networks.
A university spokesman said: "There are an increasing number of
compliance regulations and insurance policies that insist businesses
carry out security checks on their networks."
The university also stressed it will be vetting students "very
carefully" in accordance with Home Office guidelines and that they
will be monitored closely throughout the course.
The spokesman said: "We are not going to give them the full set of
tools on day one."
Although many existing undergraduate computing degrees cover elements
of this new course, Abertay claims to be the first UK university to
offer a dedicated degree course in hacking.
There are also ethical hacking courses and qualifications offered by
private sector IT training organisations such as the Training Camp,
which launched a course two years ago.
From isn at c4i.org Tue Jun 20 02:16:28 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 20 Jun 2006 01:16:28 -0500 (CDT)
Subject: [ISN] Microsoft France site cracked
Message-ID:
http://www.theinquirer.net/?article=32509
By INQUIRER newsdesk
19 June 2006
TURKISH CRACKERS wheedled their way onto a Microsoft site in France
over the weekend, leaving a cheeky message for vexed voles.
The crackers, who operate under the name of TiTHacK, taunted
Microsoft: "Your System 0wned By Turkish Hackers!"
The naughty fellows threatened that Microsoft.com would be next.
The site was out of action for some time and the affected page now
directs vistors away from it and back to their own country pages.
Zone-h.org posted a mirror of the site and has more details here [1]. ?
[1] http://www.zone-h.org/content/view/4767/31/
From isn at c4i.org Tue Jun 20 02:18:30 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 20 Jun 2006 01:18:30 -0500 (CDT)
Subject: [ISN] Spoofing Defense Dissed By Security Experts
Message-ID:
http://www.informationweek.com/news/showArticle.jhtml?articleID=189500626
By Sharon Gaudin
InformationWeek
June 19, 2006
A defense lawyer in an ongoing federal computer sabotage trial is
pushing the idea that four years ago, a hacker masqueraded as his
client to surreptitiously plant the logic bomb that took down
thousands of servers at UBS PaineWebber, thus framing an innocent man.
Roger Duronio, a former systems administrator at UBS, is currently on
trial in a District Court in Newark, N.J., for allegedly building and
distributing the logic bomb that crippled the company's ability to do
business for a day in some locations, and for as long as two to three
weeks in others, costing UBS a reported $3.1 million in cleanup costs
alone. If convicted, Duronio faces a maximum sentence of 30 years,
fines of up to $1 million and restitution for the money UBS spent on
recovery.
Chris Adams, Duronio's attorney and a partner at Walder Hayden &
Brogan in Roseland, N.J., has been throwing a slew of who-done-it
theories at the jury, including an outside hacker, another systems
administrator or even a slip-up by Cisco Systems, Inc., which was
doing a penetration test of the UBS network during the March 4, 2002
incident.
But one major theme that Adams keeps returning to is the idea of
someone " whether inside UBS or outside " using IP spoofing to pretend
to log into the company's Unix-based network from Duronio's home,
using the defendant's own corporate VPN connection. That's Adam's
explanation for why forensics examiners and federal investigators
traced remote connections to the network directly back to Duronio's
own IP address, during the times when pieces of the malicious code
were being planted on the system. The problem with this theory,
according to several security professionals and even one long-time
hacker, is that, technically, it simply can't be done.
''Spoofing the IP address is not difficult,'' says Johannes Ullrich,
chief research officer at the SANS Institute, a Bethesda, Md.-based
cyber security training and certification organization. ''The problem
is transferring data with a spoofed IP addressIt's close to impossible
to do.'' Ullrich also is the chief technology officer for the Internet
Storm Center, a cooperative cyber threat monitoring and alert system.
IP spoofing (short for Internet Protocol address spoofing) is a way to
fool a computer into thinking that a packet is coming from machine A
when it is really coming from machine B. The header of every IP packet
contains its source address " normally the address that the packet was
sent from. By putting a different address into the header, a hacker
can give the appearance that the packet was sent from a different
machine.
IP spoofing often is used for denial-of-service attacks because the
attacker simply has to overwhelm a network with a flood of pings or
useless traffic. explains Ken van Wyk, a 20-year IT security veteran
and principal consultant with KRvW Associates, LLC of Alexandria, Va.
A session doesn't have to be established. The attacker, simply put,
has to pound on the door " he doesn't actually need to be let inside.
But Duronio's defense attorney has been asking various UBS witnesses
who have taken the stand so far to talk about IP spoofing and
sniffing, which is the act of capturing information " generally
packets " as they go over the network. ''You can read the packets and
use them to pretend you're coming from another IP address, can't
you?'' Adams last week asked Rafael Mendez, who was UBS' division vice
president for network services at the time of the attack. Mendez
responded that spoofing becomes much more difficult to do if the
packets are encrypted. He also said most ISPs set up sniffing
roadblocks, blocking that kind of security problem. The idea of
hackers using IP spoofing is generally traced back to Kevin Mitnick,
one of the world's most famous hackers and a cause celebre at one time
in the hacker community. Mitnick was arrested in 1995 and was
convicted of wire fraud and breaking into computer systems at major
companies like Sun Microsystems, Inc. and Motorola. He used IP
spoofing to try to hide his identity during at least one attack.
The difference between what Mitnick did, and what the defense in the
Duronio trial is suggesting happened in this case, is that in this
latest scenario, IP spoofing would have had to have been used to load
actual lines of code onto the UBS servers. Mitnick just needed to get
a few packets through to the receiving server " a real session
wouldn't have had to have been established. That's a whole different
story from starting and maintain a session long enough to load on, or
modify code, says George Bakos, a self-proclaimed hacker with 20 years
of experience, and a senior security expert with the Institute for
Security Technology Studies at Dartmouth College in Hanover, N.H.
''When you connect to a machine, there are dozens of packets that are
exchanged just to authenticate and get ready to do things,'' says
Bakos, who said he broke into his first mainframe back in 1979. ''If
you're modifying code, or changing 70 lines of code, it would like
taking hundreds, if not thousands, of TCP segments.''
Bakos explained that when using TCP (Transmission Control Protocol),
every data segment that's sent must be acknowledged by the recipient.
That acknowledgement contains a number that must be used when the
sending computer ships more data to the server. They are called TCP
sequence numbers, and the exchange of these numbers must remain
synchronized.
The problem, according to both Bakos and Ullrich, is that with IP
spoofing, the acknowledgement goes back to the true owner of the IP
address " not to the machine that is pretending to be at that address.
Since the server would not get a response from the spoofed address,
the connection would be broken.
Van Wyk said it would be like sending a postcard with someone else's
address on it. If the person who receives the card, responds, she'll
reply to the address written on the card and it will never get to the
phony sender.
''You can do it for a few packets, but the synchronization challenge
is very, very difficult,'' says Bakos. ''Once you lose
synchronization, then everything else you've done is thrown away.
Unfortunately, when doing TCP spoofing, you're flying blind. You never
see the responses come back to you. And what you're doing is out of
synch with what the server is doing Then everything that you got into
the server will be tossed out if you don't maintain that
synchronization.''
Ullrich says the TCP sequence numbers are chosen randomly out of 4
billion options. He says guessing it would be ''close to impossible''
or at least a one-in-4-billion chance. Back in the mid-1990s, these
numbers were not picked randomly, so Mitnick had a much easier job
figuring out which ones to use.
And Ullrich also notes that an IP spoofing attack would be fairly easy
to spot on an enterprise system. ''If something is trying to do that
on your network, it's pretty obvious. It generates a lot of traffic
because these hosts are sending acknowledgements that they don't
understand.'' He also said there would be a record of the attempts.
As for a hacker using a sniffing technique to get the IP address while
it's in transmission, Ullrich explained that a VPN has its own
encryption, along with ways to validate the IP address and the user.
''That's what you have a VPN for,'' he said. ''All the traffic is
encrypted and authenticated. Unless you're NSA or somebody like that,
you're not going to break that encryption.''
Copyright ? 2005 CMP Media LLC
From isn at c4i.org Wed Jun 21 02:12:59 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 21 Jun 2006 01:12:59 -0500 (CDT)
Subject: [ISN] Attend the Black Hat Briefings & Training USA event!
Message-ID:
Attend the Black Hat Briefings & Training USA event!
July 29 - August 2, 2006 at Caesars Palace in Las Vegas, the world's
premier technical event for IT security experts. Black Hat profiles
next generation threats, delivers practical security techniques, and
an understanding of legal and policy issues. The Briefings are
designed to foster peer-to-peer communication and networking
opportunities with over 2,500 security professionals from 40+ nations.
Includes 36 hands-on training courses July 29 - August 1, and 60
presentations at the Briefings August 2-3, featuring security experts
and "underground" security specialists.
Register before June 30 for early-bird savings!
http://www.blackhat.com
From isn at c4i.org Wed Jun 21 02:13:18 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 21 Jun 2006 01:13:18 -0500 (CDT)
Subject: [ISN] UAB Computer Theft Puts Thousands At Risk Of Identity Theft
Message-ID:
http://www.nbc13.com/news/9398562/detail.html
June 20, 2006
BIRMINGHAM, Ala. -- A computer possibly containing the names, Social
Security numbers and medical information for almost 10,000 people has
been stolen from the University of Alabama at Birmingham.
The computer had lists of donors, recipients and potential recipients
of the university's kidney transplant program.
UAB officials said there is no indication that the information has
been used.
This could mean that personal information of 9,800 UAB kidney patients
is out on the street and subject to possible identity theft.
The computer was stolen from the UAB School of Medicine Research
Department in February. The people affected were not notified until
June 8. UAB said that was because it took months for the school to
reconstruct the missing database.
The university said it has apologized to those affected and offered
assistance. UAB said a letter was sent to each person alerting them of
the crime and giving them the option of subscribing to a credit
monitoring company that will alert them of any suspicious activity
that might indicate identity theft.
Copyright 2006 by NBC13.com
From isn at c4i.org Wed Jun 21 02:12:40 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 21 Jun 2006 01:12:40 -0500 (CDT)
Subject: [ISN] Ohio U. Suspends Two Over Hackers' Theft
Message-ID:
http://www.phillyburbs.com/pb-dyn/news/95-06202006-673296.html
The Associated Press
June 20, 2006
ATHENS, Ohio - Ohio University said Tuesday it has suspended two
information technology supervisors over recent breaches by hackers who
may have stolen 173,000 Social Security numbers from school computers.
The school did not identify the director of communications network
services - identified on the school's Web site as Thomas Reid - and
manager of Internet and systems. Both were suspended pending the
school's investigation of the breaches, five of which have happened
since March 2005.
A message was left late Tuesday at a home phone listing for Reid.
Citing results from an independent audit, the school also said
University President Roderick McDavis will ask trustees for up to $2
million to improve computer security. McDavis said he deeply regretted
the inconvenience and stress the breaches caused university employees.
Click here
"We hold ourselves fully accountable," McDavis wrote Monday in an
e-mail to faculty and staff.
The school said in April it had discovered a computer breach at its
training center for fledgling businesses. Since then, electronic
break-ins also were reported at the school's alumni office, health
center and the department that handles records for businesses the
university hires.
Students, alumni and employees have been told to run credit checks and
place fraud watches on their credit card and bank accounts. About two
dozen people have told the school they were victimized by identity
theft in the past year.
-=-
On the Net:
Ohio University data theft: http://www.ohio.edu/datatheft
From isn at c4i.org Wed Jun 21 02:13:32 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 21 Jun 2006 01:13:32 -0500 (CDT)
Subject: [ISN] Worm burrows into Google's Orkut
Message-ID:
http://www.techworld.com/security/news/index.cfm?newsID=6251
By John E. Dunn
Techworld
19 June 2006
An automated information theft worm has been discovered spreading
through Google's social networking website, Orkut.
Using a URL as the lure, MW.Orc installs itself in an Orkut scrapbook,
a public guestbook where visitors can leave comments or links.
Infection follows for anyone clicking on this, after which it attempts
to steal banking user names and passwords in trusted phishing style,
should such services be accessed.
The worm also gives criminals the potential to use the infected PC as
a bot for the distribution of pirated movie files.
Written in Portuguese, the link is believed to be designed to hook
Brazilians, the main users of the system. Google is said to have come
up with a temporary patch to stop its activities, although a posting
by FaceTime Security Labs' researchers on blog.spywareguide states
that the worm has been causing problems for some time.
"The idea of problems behind "gated" communities is a pretty
interesting one, even more so when the idea regularly rolls around
that segregating various parts of the Internet to "keep the bad guys
out" would be a great idea. But what happens when those bad-guys are
already inside the gates?," the blog entry continues.
"Sometimes there is a false sense of security and trust that an end
user has in a "gated" community such as Orkut. This is similar to what
we see happening in instant messaging," was the official comment from
FaceTime's Chris Boyd.
A relatively obscure part of the Google empire, the invitation-only
Orkut is said to have been named after its creator, Google employee
Orkut Buyukkokten.
From isn at c4i.org Wed Jun 21 02:13:54 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 21 Jun 2006 01:13:54 -0500 (CDT)
Subject: [ISN] Lord battles government over cybercrime laws
Message-ID:
http://news.zdnet.co.uk/internet/security/0,39020375,39276193,00.htm
Tom Espiner
ZDNet UK
June 20, 2006
Lord Northesk wants to protect IT pros and the police from
criminalisation, and nail down the law covering denial of service
attacks
Sweeping changes to UK computer crime laws have been proposed by a
Conservative peer.
Lord Northesk is seeking to amend the Computer Misuse Act (CMA) 1990
to give the police and judiciary greater "legal clarity" when dealing
with computer crime.
The proposed changes would alter the law regarding launching denial of
service attacks, the creation of tools that could be used for hacking,
and bot attacks.
The UK government is currently trying to update the CMA through
amendments in the Police and Justice Bill 2006, which will be debated
in the House of Lords this week. Northesk has proposed amendments to
the government's own amendments.
As it stands, paragraph 1b of Clause 41 of the Police and Justice Bill
would make it an offence to release a computer tool that is "likely to
be used" in a computer offense. As reported last month, experts are
concerned that the government's proposals would have criminalised IT
and security professionals who make network monitoring tools publicly
available or who disclose details of unpatched vulnerabilities.
Northesk's amendments, if passed, would see this paragraph deleted. He
believes that it could even criminalise the police, if they create and
distribute tools for forensic investigation.
Northesk is pushing for the concept of recklessness to be introduced
into the updated CMA. He is seeking to amend Clause 40 of the Police
and Justice Bill so that malicious denial of service (DoS) attacks are
criminalised by the CMA but legitimate political protests that slow
down servers would not be.
"The key point in Clause 40 is the inclusion of recklessness and
intention [in launching attacks]. With effective civil disobedience, a
whole series of people petition online [which may cause servers to
crash]. Under the current draft this form of legitimate protest may be
denied," said Northesk.
"The purpose of the Clause 40 amendment is to address the fundamental
issue that a lot of Internet activity - such as electronic civil
disobedience - currently comes under CMA."
By introducing the issue of recklessness, Lord Northesk also hopes to
protect the police themselves from prosecution. "With [establishing]
recklessness there is no bar on forensic hacking," he said.
Northesk has also proposed modifying Clause 39 of the Police and
Justice Bill so that Trojan horse software that inserts itself onto a
system, allowing remote access by hackers, will be specifically
covered by the law.
"The current text of the CMA doesn't deal with bot attacks ? inserting
software onto a machine that allows remote attacks," said Northesk.
The peer said he hopes the legislation will enable the police and
judiciary to better tackle cybercrime, and provide the government with
guidance in understanding it.
"I'm a great believer in legal clarity. Too often within government
it's not properly understood that which is trying to be achieved. In
the desire to future-proof legislation, they tend not to address
problems that are sitting there because they are seen as difficult to
understand," Northesk told ZDNet UK.
From isn at c4i.org Thu Jun 22 03:28:46 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 22 Jun 2006 02:28:46 -0500 (CDT)
Subject: [ISN] Study: Most Technology Companies Have Data Losses
Message-ID:
http://www.eweek.com/article2/0,1895,1979924,00.asp
By Matt Hines
June 21, 2006
Over half of all companies doing business in the technology, media and
telecommunications sectors have experienced data breaches that
potentially exposed their intellectual property or customer
information, a new research report shows.
According to the report, published by Deloitte Touche Tohmatsu, not
only have many technology providers been hit with the same sorts of
data losses that have recently plagued other industries, but a large
number of the firms have also failed to make sufficient investments in
security technologies aimed at preventing future incidents.
Deloitte researchers said that security has long been "neglected" by
technology, media and telecommunications companies despite their
dependence on digital information to run their businesses.
The consulting company surveyed executives at 150 such companies and
found that even in the face of public embarrassment, financial losses
and potential litigation linked to data breaches, many of the
businesses have yet to make necessary investments to more adequately
protect their information.
According to the report, more than 50 percent of the companies
surveyed admitted to having a data loss within the last 12 months,
with roughly one-third of those incidents directly resulting in
financial losses.
Half of the companies reporting data breaches said the incidents
involved internal attacks or policy violations.
Of the firms surveyed, only 4 percent said their employers are doing
enough to address the issue, and just 20 percent of respondents said
that they feel confident that their companies' intellectual property
is being sufficiently safeguarded.
Some 24 percent of interviewees said that the security tools they have
installed are being used effectively.
While phishing schemes continue to pose a major threat to companies'
customer information and brand reputations, only 18 percent of those
executives surveyed said that their firms have employed technologies
aimed at preventing the attacks.
Deloitte said that 37 percent of the companies it interviewed have
provided additional security training to their employees within the
last 12 months.
At the heart of the issue, the report said, is companies' reluctance
to increase their spending on new security measures.
While 74 percent of survey respondents said that they expect to spend
more time and money on improving security in 2006, the average budget
increase among those companies was only 9 percent.
Fewer than 15 percent of those increasing their security budgets
planned to do so by over 20 percent, Deloitte said.
Despite the sobering statistics, Deloitte researchers said that
technology, media and telecommunications companies are beginning to
make changes to improve their IT defenses and security policies.
Regulations such as the U.S. government's Sarbanes-Oxley Act have help
pave the way for those improvements, said Brian Geffert, principal of
security and privacy services at Deloitte.
"Sarbanes got people to understand security a bit more, and now more
people are catching up; more CEOs are communicating directly with
chief information security officers, and I think we will see a lot
more investment from these particular companies," said Geffert.
"To a degree people are in the stage where they are still making
plans, and not yet fully engaged in moving forward, but there's
progress."
Only 63 percent of respondents to the survey said they have a
senior-level executive in their company dedicated to managing security
issues, with 53 percent of information technology companies employing
those types of leaders.
Deloitte noted that those numbers were lower than the proportion of
companies in other industries with C-level security executives already
in place.
Further, the survey found that 52 percent of technology, media and
telecommunications companies consider security a problem for IT
departments, rather than viewing the issue as a central business
concern.
The top five information security concerns identified by the
executives polled were those related to instant messaging systems,
phishing schemes, viruses that attack mobile devices, hacks into
online brokerage accounts and other Web-based crimes.
So-called insider attacks, or threats emanating from employees or
other people with legitimate access to IT systems, are another major
concern.
However, only 59 percent of the companies interviewed said that they
have any form of employee behavior monitoring technology in place.
While 25 percent of respondents listed cited insider fraud as their
primary internal security concern, 22 percent pointed to data losses
such as the incidents that have recently victimized the U.S.
Department of Veterans Affairs and insurance giant American
International Group as their greatest fear.
"These data leaks are starting to make people think differently about
the manner in which they handle data, and you also have the emergence
of small storage devices capable of carrying off a boatload of data,
those things have opened people's eyes," Geffert said.
"At the end of the day, it's all about getting people to look at their
work habits differently and letting workers know what their
responsibilities are for protecting the data; technology companies are
a bit behind other industries today, but there's no reason that they
cannot catch up."
From isn at c4i.org Thu Jun 22 03:29:18 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 22 Jun 2006 02:29:18 -0500 (CDT)
Subject: [ISN] A Dozen Security Patches and Several Related Exploits
Message-ID:
====================
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
CrossTec
http://list.windowsitpro.com/t?ctl=2F22B:4FB69
Faxback
http://list.windowsitpro.com/t?ctl=2F235:4FB69
Scalable Software
http://list.windowsitpro.com/t?ctl=2F230:4FB69
====================
1. In Focus: A Dozen Security Patches and Several Related Exploits
2. Security News and Features
- Recent Security Vulnerabilities
- Microsoft Takes Security to the Forefront
- Will Ethereal Be Devoured by Wireshark?
- SmartLine DeviceLock Minireview
3. Security Toolkit
- Security Matters Blog
- FAQ
- Security Forum Featured Thread
- Instant Poll
- Share Your Security Tips
4. New and Improved
- Virtual Security Gateway
====================
==== Sponsor: CrossTec ====
Just Released - New NetOp Remote Control v9.0
Work at blazing speeds with new NetOp Remote Control v9.0. NetOp,
already one of the fastest remote control tools on the market, has
gotten even faster. You won't even realize you are working remotely!
With more than 40 new features, NetOp 9.0 lets you work smarter and
offers a higher ROI. Complete central administration with the NetOp
Security Server means that v9.0 is the most secure remote control
product on the market and new Smart Card support keeps your remote
technology cutting edge. Click to download the latest version of NetOp
today.
http://list.windowsitpro.com/t?ctl=2F22B:4FB69
====================
==== 1. In Focus: A Dozen Security Patches and Several Related Exploits
====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
As you hopefully know by now, Microsoft released a dozen security
patches last week. Microsoft rated eight of the patches as critical,
meaning that the related problems could be exploited without user
interaction to possibly spread a worm. The remaining four patches are
rated important, meaning that the related problem could be exploited to
compromise sensitive information, hinder access to data, or affect
availability and integrity of processing resources.
After Microsoft releases security patches, intruders often quickly
release exploits that take advantage of the vulnerabilities or
researchers sometimes discover that previously known security problems
still exist and that the latest batch of patches left problems unfixed.
This past week was no different.
Reading the Handler's Diary blog at SANS Internet Storm Center (at the
URL below) last week, I learned that the day after Microsoft released
its security patches, there were at least six new exploits.
Fortunately, two of those exploits, which affect Microsoft Windows
Media Player and RRAS, were released by a security vendor to its
customers, so those weren't floating around in the wild. Another
exploit, which affects TCP/IP networking, was released privately, so it
wasn't in the wild either. Yet another exploit, which affects Microsoft
Word, was already in the wild before the related patch was released.
That leaves at least two new exploits that are in the wild, both of
which affect Server Message Block (SMB) and could be used to elevate
privileges or hide a running process.
http://list.windowsitpro.com/t?ctl=2F246:4FB69
These last two exploits caught my attention because installing the
patch in the related Microsoft Security Bulletin MS06-030:
Vulnerability in Server Message Block Could Allow Elevation of
Privilege doesn't completely fix the security problems. Even with the
patch installed, vulnerability remains, although to an arguably lesser
extent.
Ruben Santamarta, who runs the reversemode.com Web site, posted a
message to SecurityFocus's BugTraq mailing list (at the URL below) in
which he stated in reference to MS06-030, "Microsoft has not fixed the
NtClose/ZwClose DeadLock vulnerability.... I think that the Driver
Developer community should be informed that using NtClose/ZwClose, the
driver will be exposed to a security issue by default."
http://list.windowsitpro.com/t?ctl=2F23B:4FB69
Santamarta published a document on his Web site that discusses the
problem in considerable technical detail (at the URL below). If I
understand correctly, Santamarta has found that a malware writer could
use the still existing vulnerability to essentially hide a process. As
demonstrated in one of his published exploits, even if you try to
terminate the process, it will disappear but not actually stop running.
This of course gives the malware writer a great way to avoid malware
removal. Santamarta's proof of concept points out that Microsoft needs
to fix this problem sooner rather than later.
http://list.windowsitpro.com/t?ctl=2F231:4FB69
Finally, another exploit you need to be aware of, which isn't related
to Microsoft's June release of patches, is a zero-day exploit released
last week that affects Microsoft Excel. At the time of this writing, no
patch was available from Microsoft to correct the problem. The problem
is serious in that it allows the execution of arbitrary code when
someone opens an affected Excel document. Security vendors are working
to provide detection of this exploit, so hopefully you'll have the
protection you need by the time you read this newsletter.
====================
==== Sponsor: Faxback ====
Maximize your VoIP environment by integrating FoIP technology to
increase ROI, and streamline processes.
http://list.windowsitpro.com/t?ctl=2F235:4FB69
====================
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=2F234:4FB69
Microsoft's Takes Security to the Forefront
At TechEd 2006 last week in Boston, Microsoft announced its
Forefront brand and the launch of ISA Server 2006. Forefront will
include solutions for clients, servers, and the network boundary. Find
out what products will be included and when you can expect to see them.
http://list.windowsitpro.com/t?ctl=2F23F:4FB69
Will Ethereal Be Devoured by Wireshark?
Ethereal has long been the tool of choice among countless network
administrators for robust packet capturing and protocol analysis. Now
the hugely popular open source tool has a new name, Wireshark, and a
new sponsor to go along with it.
http://list.windowsitpro.com/t?ctl=2F23E:4FB69
SmartLine DeviceLock Minireview
SmartLine's DeviceLock lets you manage device security for portable
devices by assigning users access levels to network devices and
interfaces, such as USB and infrared ports, wireless network adapters,
and removable storage devices. Read Trisha Pendley's minireview on our
Web site.
http://list.windowsitpro.com/t?ctl=2F23C:4FB69
====================
==== Resources and Events ====
Special Offer: Download any white paper from Windows IT Pro before June
30, and you could win a pair of Bose Triport Headphones. View the full
selection of papers today at http://list.windowsitpro.com/t?ctl=2F243:4FB69
Learn to differentiate between alternative solutions to disaster
recovery for your Windows-based applications and how to ensure seamless
recovery of your key systems whether a disaster strikes just one server
or the whole site. On-demand Web seminar.
http://list.windowsitpro.com/t?ctl=2F22E:4FB69
Any unscheduled downtime--especially of your Exchange systems--can
quickly affect a company's bottom line. Learn essential skills for
reducing downtime to minutes instead of hours.
http://list.windowsitpro.com/t?ctl=2F232:4FB69
Get all you need to know about today's most popular security protocols,
including SSL-TLS, for Web-based communications.
http://list.windowsitpro.com/t?ctl=2F22F:4FB69
Learn the key requirements of an effective internal network security
solution and whether your approach protects you against worms, BotNets,
Trojan horses, and hackers. On-demand Web seminar
http://list.windowsitpro.com/t?ctl=2F22D:4FB69
====================
==== Featured White Paper ====
Test-drive the Starter PKI program and learn how companies that need to
secure multiple domains and host names can benefit.
http://list.windowsitpro.com/t?ctl=2F233:4FB69
Bonus: Whenever you download a white paper from Windows IT Pro
before June 30, you'll be entered to win Bose Triport Headphones. See
the full selection of papers today at
http://list.windowsitpro.com/t?ctl=2F243:4FB69
====================
==== Hot Spot ====
How much are you spending on IT compliance? Streamline and automate the
compliance life cycle with this FREE white paper, and reduce your costs
today!
http://list.windowsitpro.com/t?ctl=2F230:4FB69
====================
==== 3. Security Toolkit ====
Security Matters Blog: 100GB in My Pocket!
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2F242:4FB69
I found a super-affordable portable disk that gives me 100GB to
store whatever I need, like bunches of security tools and even an
alternative OS. Plus I can carry it around in my pocket.
http://list.windowsitpro.com/t?ctl=2F23D:4FB69
FAQ
by John Savill, http://list.windowsitpro.com/t?ctl=2F241:4FB69
Q: Why does the Windows Server 2003 R2 File Server Resource Manager
(FSRM) file screen audit report contain three entries for file screen
violations?
Find the answer at http://list.windowsitpro.com/t?ctl=2F236:4FB69
Security Forum Featured Thread: Using Administrator Account Is a
Security Offense
A forum participant wonders why it's a serious security offense in
some organizations for a network administrator to use the Administrator
account for routine work. Join the discussion at
http://list.windowsitpro.com/t?ctl=2F22C:4FB69
New Instant Poll
Is your company using Microsoft's antispyware tool, Windows Defender
Beta 2, on its systems?
- Yes, it's the only antispyware tool we use
- Yes, we use it along with other antisypware programs
- No, we use another antispyware program
Go to the Security Hot Topic and submit your vote
http://list.windowsitpro.com/t?ctl=2F240:4FB69
Share Your Security Tips and Get $100
Share your security-related tips, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
====================
==== Announcements ====
(from Windows IT Pro and its partners)
Monthly Online Pass--only $14.95!
Includes instant online access to every article ever written in the
Windows IT Security newsletter. Order now:
http://list.windowsitpro.com/t?ctl=2F237:4FB69
June Special--Save $80 off the Windows Scripting Solutions newsletter
Get endless scripting techniques and expert-reviewed code. Subscribe
to Windows Scripting Solutions today and save $80:
http://list.windowsitpro.com/t?ctl=2F239:4FB69
====================
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Virtual Security Gateway
Astaro announced the general availability of Astaro Security Gateway
for VMware, which lets customers run Astaro Security Gateway software
on a VMware infrastructure. A new Astaro Command Center will allow for
one integrated view and unified control of any number of Astaro
Security Gateways for VMware and/or Astaro Security Gateway physical
appliances. Suggested pricing for a sample configuration of 250 active
users, 512,000 connections, and one year of maintenance is $11, 885. For
more information or to download a trial copy of the software, go to
http://list.windowsitpro.com/t?ctl=2F245:4FB69
Tell Us About a Hot Product and Get a Best Buy Gift Card!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Best Buy Gift Card if we write about the product in a
Windows IT Pro What's Hot column. Send your product suggestion with
information about how the product has helped you to
whatshot at windowsitpro.com.
====================
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=2F244:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
====================
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
http://list.windowsitpro.com/t?ctl=2F23A:4FB69
View the Windows IT Pro privacy policy at
http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2006, Penton Media, Inc. All rights reserved.
From isn at c4i.org Thu Jun 22 03:29:35 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 22 Jun 2006 02:29:35 -0500 (CDT)
Subject: [ISN] Voylent beta released for public download
Message-ID:
Voylent beta released for public download
Voylent is a client for cellphones that encrypts voice conversations
(IP support not available in this version). We have just released our
first public beta and are looking for testers, feature requests and
feedback. The client has been tested only a few models, mainly Nokia
S60 with Symbian OS. The full list of devices it runs on is included
in the release notes & FAQ.
We also decided to publish the information regarding the secure
channel and key negotiation protocol. The PDF is available for
download without registration on our website.
We understand that installing (and running successfully) a new
application on a cellphone is not as straightforward as it should be,
but we offer support via email and phone and we are keen to squash as
many bug / UI improvements as possible.
More information at http://www.voylent.com/
From isn at c4i.org Thu Jun 22 03:29:54 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 22 Jun 2006 02:29:54 -0500 (CDT)
Subject: [ISN] USDA covers its bases with a detailed plan
Message-ID:
http://www.gcn.com/print/25_16/41041-1.html
By Brad Grimes and Jason Miller
GCN Staff
06/19/06 issue
The Agriculture Department's wireless policy, updated in April through
a series of departmental notices, comprises everything from
architectural requirements to acquisition guidance.
Unlike the Defense Department's most recent wireless memorandum,
USDA's policy covers technologies such as Bluetooth and infrared
communications, which the department tightly restricts, requiring that
Bluetooth and infrared be used only between government-owned devices
or within secure government facilities.
These technologies also can only be used with strict security measures
turned on, including Encryption Mode 3, use of temporary personal
identification numbers and more.
It's a very detailed policy.
"We have 3,000 county offices where they use wireless devices, and we
have to make sure we have a policy that takes care of all our concerns
from a security perspective," said Robert Suda, USDA's associate CIO.
For instance, if an employee teleworks and uses a wireless LAN at
home, a department representative must inspect the employee's home to
ensure the use of Secure Sockets Layer protocol, virtual private
networking or the IEEE 802.11i wireless security standard with AES
encryption.
Within USDA, the policy requires the use of 802.11i. Approved two
years ago, the standard can be a hurdle for agencies that deployed
pre-802.11i networks, because the accompanying encryption algorithms
often require hardware upgrades.
USDA offices must also deploy 802.11i wireless equipment certified by
the National Institute of Standards and Technology to conform to
Federal Information Processing Standards 140-2. As in the recent DOD
wireless policy, FIPS-140-1 cryptographic modules are not acceptable.
Offices that deployed wireless networks before 802.11i came out have a
year from April to upgrade, and they're not allowed to connect their
noncompliant networks to any other USDA network without a waiver.
Aside from 802.11i requirements, USDA has taken many of the same steps
as DOD, requiring wireless intrusion detection devices and firewalls
along the wireless network. But unlike DOD, USDA is particularly
concerned with access point configuration.
The department requires X.509 certificates in all devices to
authenticate actual access points. USDA also requires that all APs be
registered with the department and maintain logs of unauthorized
access attempts for 30 days. In addition, the policy said, "APs will
be located on interior walls of buildings."
Agriculture is one of only a handful of agencies with a mature
wireless policy.
? 1996-2006 Post-Newsweek Media, Inc.
From isn at c4i.org Thu Jun 22 03:30:10 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 22 Jun 2006 02:30:10 -0500 (CDT)
Subject: [ISN] Hacker enters Agriculture dept. computers
Message-ID:
http://seattlepi.nwsource.com/business/1700AP_Agriculture_Hacker.html
By Libby Quaid
AP FOOD AND FARM WRITER
June 21, 2006
WASHINGTON -- A hacker broke into the Agriculture Department's
computer system and may have obtained names, Social Security numbers
and photos of 26,000 Washington-area employees and contractors, the
department said Wednesday.
Agriculture Secretary Mike Johanns said the department will provide
free credit monitoring for one year to anyone who might have been
affected.
The break-in happened during the first weekend in June, the department
said. Technology staff learned of the breach on June 5 and told
Johanns the following day but believed personal information was
protected by security software, the department said.
However, on further analysis, staff concluded that data on current or
former employees might have been accessed and informed Johanns on
Wednesday, according to the department.
The department said it notified law enforcement agencies. Its
inspector general is investigating the break-in.
The information was used for staff or contractor badges in Washington
and the surrounding area, spokeswoman Terri Teuber said. Those who
might have been affected were notified by e-mail and were being sent
letters.
People who believe they may be affected by the data breach can go to
http://www.firstgov.gov for more information. The Agriculture
Department has a toll-free number to call for information about the
incident or about consumer-identity protections. The number,
1-800-FED-INFO (1-800-333-4636), is a call center that operates from 8
a.m. to 9 p.m. EDT Monday through Saturday.
Other federal departments have acknowledged recently that private
information had been compromised.
As many as 26.5 million people may have been affected by the theft of
a laptop computer containing Veterans Affairs information including
Social Security numbers and birth dates. The computer was taken from
the home of a VA employee, and officials waited nearly three weeks
before notifying veterans on May 22 of the theft.
Earlier this month, the Health and Human Services Department
discovered that personal information for nearly 17,000 Medicare
beneficiaries may have been compromised when an insurance company
employee called up the data through a hotel computer and then failed
to delete the file.
Social Security numbers and other information for nearly 1,500 people
working for the National Nuclear Security Administration may have been
compromised when a hacker gained entry to an Energy Department
computer system last fall. Officials said June 12 they had learned
only recently of the breach.
-=-
On the Net: Agriculture Department: http://www.usda.gov
From isn at c4i.org Thu Jun 22 03:30:26 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 22 Jun 2006 02:30:26 -0500 (CDT)
Subject: [ISN] Wi-Fi drivers open laptops to hackers
Message-ID:
http://www.techworld.com/mobility/news/index.cfm?newsID=6272
By Robert McMillan
IDG News Service
22 June 2006
Hackers can take control of laptops by Wi-Fi, even when the user is
not connected to a wireless LAN, according to security researchers.
The hack, which exploits bugs in wireless device drivers, will be
demonstrated at the upcoming Black Hat USA 2006 conference during a
presentation by David Maynor, a research engineer with Internet
Security Systems, and Jon Ellch, a student at the US Naval
postgraduate school in Monterey, California.
Device driver hacking is technically challenging, but the field has
become more appealing in recent years, thanks in part to new software
tools that make it easier for less technically savvy hackers, known as
script kiddies, to attack wireless cards, Maynor said in an interview.
The two researchers used an open-source 802.11 hacking tool called
Lorcon (Lots of Radion Connectivity) to throw an extremely large
number of wireless packets at different wireless cards. Hackers use
this technique, called fuzzing, to see if they can cause programs to
fail, or perhaps even run unauthorised software when they are
bombarded with unexpected data.
Using tools like Lorcon, Maynor and Ellch were able to discover many
examples of wireless device driver flaws, including one that allowed
them to take over a laptop by exploiting a bug in an 802.11 wireless
driver. They also examined other networking technologies including
Bluetooth, Ev-Do (EVolution-Data Only), and HSDPA (High Speed Downlink
Packet Access).
The two researchers declined to disclose the specific details of their
attack before the August 2 presentation, but they described it in
dramatic terms.
"This would be the digital equivalent of a drive-by shooting," said
Maynor. An attacker could exploit this flaw by simply sitting in a
public space and waiting for the right type of machine to come into
range.
The victim would not even need to connect to a network for the attack
to work.
"You don't have to necessarily be connected for these device driver
flaws to come into play," Ellch said. "Just because your wireless card
is on and looking for a network could be enough."
More than half of the flaws that the two researchers found could be
exploited even before the wireless device connected to a network.
Wireless devices are often configured to be constantly sniffing for
new networks, and that can lead to security problems, especially if
their driver software is badly written. Researchers in Italy recently
created a hacking lab on wheels, called project BlueBag, to underscore
this point by showing just how many vulnerable Bluetooth wireless
devices they could connect with by wandering around public spaces like
airports and shopping malls. After spending about 23 hours wandering
about Milan, they had found more than 1,400 devices that were open to
connection.
"Wireless device drivers are like the Wild, Wild West right now,"
Maynor said. "Lorcon has really brought mass Wi-Fi packet injection to
script kiddies. Now it's pretty much to the point where anyone can do
it."
Part of the problem is that the engineers who write device drivers
often do not have security in mind, he said.
A second problem is that vendors also make devices that go beyond the
requirements of a particular wireless standard. That piling on of
features can open security holes as well, he said.
All contents ? IDG 2006
From isn at c4i.org Thu Jun 22 03:31:15 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 22 Jun 2006 02:31:15 -0500 (CDT)
Subject: [ISN] 'UFO Hacker' Tells What He Found
Message-ID:
http://www.wired.com/news/technology/internet/0,71182-0.html
By Nigel Watson
June 21, 2006
The search for proof of the existence of UFOs landed Gary McKinnon in
a world of trouble.
After allegedly hacking into NASA websites -- where he says he found
images of what looked like extraterrestrial spaceships -- the
40-year-old Briton faces extradition to the United States from his
North London home. If convicted, McKinnon could receive a 70-year
prison term and up to $2 million in fines.
Final paperwork in the case is due this week, after which the British
home secretary will rule on the extradition request.
McKinnon, whose extensive search through U.S. computer networks was
allegedly conducted between February 2001 and March 2002, picked a
particularly poor time to expose U.S. national security failings in
light of the terror attacks of Sept. 11, 2001.
McKinnon tells what he found and discusses the motivation behind his
online adventures in this exclusive phone interview with Wired News.
Wired News: What was your motive or inspiration for carrying out your
computer hacking? Was it the War Games movie?
Gary McKinnon: This is a bit of a red herring. I have seen it but I
wasn't inspired by it. My main inspiration was The Hacker's Handbook
by Hugo Cornwall. The first edition that I read was too full of
information.... It had to be banned, and it was reissued without the
sensitive stuff in it.
WN: Without this book would you have been able to do it?
McKinnon: I would have done it anyway because I used the internet to
get useful information. The book just kick-started me. Hacking for me
was just a means to an end.
WN: In what way?
McKinnon: I knew that governments suppressed antigravity, UFO-related
technologies, free energy or what they call zero-point energy. This
should not be kept hidden from the public when pensioners can't pay
their fuel bills.
WN: Did you find anything in your search for evidence of UFOs?
McKinnon: Certainly did. There is The Disclosure Project. This is a
book with 400 testimonials from everyone from air traffic controllers
to those responsible for launching nuclear missiles. Very credible
witnesses. They talk about reverse-(engineered) technology taken from
captured or destroyed alien craft.
WN: Like the Roswell incident of 1947?
McKinnon: I assume that was the first and assume there have been
others. These relied-upon people have given solid evidence.
WN: What sort of evidence?
McKinnon: A NASA photographic expert said that there was a Building 8
at Johnson Space Center where they regularly airbrushed out images of
UFOs from the high-resolution satellite imaging. I logged on to NASA
and was able to access this department. They had huge, high-resolution
images stored in their picture files. They had filtered and
unfiltered, or processed and unprocessed, files.
My dialup 56K connection was very slow trying to download one of these
picture files. As this was happening, I had remote control of their
desktop, and by adjusting it to 4-bit color and low screen resolution,
I was able to briefly see one of these pictures. It was a silvery,
cigar-shaped object with geodesic spheres on either side. There were
no visible seams or riveting. There was no reference to the size of
the object and the picture was taken presumably by a satellite looking
down on it. The object didn't look manmade or anything like what we
have created. Because I was using a Java application, I could only get
a screenshot of the picture -- it did not go into my temporary
internet files. At my crowning moment, someone at NASA discovered what
I was doing and I was disconnected.
I also got access to Excel spreadsheets. One was titled
"Non-Terrestrial Officers." It contained names and ranks of U.S. Air
Force personnel who are not registered anywhere else. It also
contained information about ship-to-ship transfers, but I've never
seen the names of these ships noted anywhere else.
WN: Could this have been some sort of military strategy game or
outline of hypothetical situations?
McKinnon: The military want to have military dominance of space. What
I found could be a game -- it's hard to know for certain.
WN: Some say that you have given the UFO motivation for your hacking
as a distraction from more nefarious activities.
McKinnon: I was looking before and after 9/11. If I had wanted to
distract anyone, I would not have chosen ufology, as this opens me up
to ridicule.
WN: Tell me about your experiences with law enforcement and the
procedures you have gone through.
McKinnon: I was arrested by the British National Hi Tech Crime Unit in
March 2002. They held me in custody for about six or seven hours. My
own computer and ones I was fixing for other people were taken away.
The other machines were eventually returned, but they kept my hard
drive that was sent to the U.S. It was November 2002 when the U.S.
Department of Justice started their efforts to extradite me.
WN: The British Crown Prosecution Service dropped charges against you
because your activities did not involve British computers.
McKinnon: I was to be officially charged in 2003 but a warrant wasn't
given until 2004.... In June or July 2005, I was scooped from the
street by Scotland Yard. I was kept at Belgravia Police Station
overnight. I just wore what I had on when I was out; I didn't get a
chance to wear a suit in court. I was given police bail.
WN: When will they make a decision about extradition?
McKinnon: It's down to the Home Secretary, John Reid. The deadline for
representations is 21 June 2006. Even after that date, it could be as
much as 11 months for him to decide on my fate.
WN: How have you been coping?
McKinnon: God, it's very worrying and stressful. It's been worse
because I'm unemployed. I worked on and off in IT, contracting and
stuff, before this, but no one will touch me with a large barge pole
now.
? Copyright 2006, Lycos, Inc.
From isn at c4i.org Thu Jun 22 03:30:48 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 22 Jun 2006 02:30:48 -0500 (CDT)
Subject: [ISN] UBS Trial: Defense Attacks 'Sloppy' Investigation
Message-ID:
http://www.informationweek.com/management/showArticle.jhtml?articleID=189600069
By Sharon Gaudin
InformationWeek
Jun 21, 2006
Newark, N.J. -- After taking it on the chin last Friday, the defense
in a computer sabotage trial here pounded away at the Secret Service
agent on the stand, riding him on missteps in the investigation, and
once again attacking the fact that hackers worked at one of the
computer forensics companies involved in the case.
Special Agent Gregory O'Neil of the U.S. Secret Service was repeated
questioned by defense attorney Chris Adams about an initial forensic
report with a missing page, an unidentified latent fingerprint on a
key piece of evidence, and some incorrect dates on a Secret Service
report.
O'Neil, who was a lead investigator in the matter, took the stand as a
witness for the prosecution in the federal computer sabotage case.
Adams, a partner at Walder Hayden & Brogan in Roseland, N.J., is the
lead defense lawyer for Roger Duronio, the 63-year-old former systems
administrator accused of planting a logic bomb that crippled the
network at UBS PaineWebber four years ago.
Duronio is facing four charges in connection with allegedly writing
and planting malicious code on the Unix-based network at UBS
PaineWebber, where he had been working for three years. The attack
effectively took down about 2,000 of the company's servers, some of
which were brought back up in a day, but others remained down for two
to three weeks.
In his cross examination of O'Neil, Adams also focused his sights on
one specific forensic investigator who had been a hacker before
working at @Stake, Inc., the security company that UBS first called in
to check out the March 4, 2002 incident.
Karl Kasper, known in the industry as John Tan, identified himself to
the federal agent as John Tan, and signed documents with that name.
The defense asked O'Neal why he would trust the word, or the work, of
someone who gave a false name to the Secret Service. O'Neal replied
that he didn't regard it as a false name, simply a name Kasper uses in
the trade.
And last Friday, O'Neil said that all roads in the investigation led
back to Duronio. First off, he had pointed out that a digital trail
led from Duronio's home IP address through the corporate VPN and into
the company's servers, on exactly the same dates and times that the
malicious code was planted or modified.
O'Neil also told the jury that during the execution of a search
warrant on the Duronio home, Secret Service agents found parts of the
malicious code on two of his home computers, as well as printed out in
a hardcopy that was found on his bedroom dresser.
Following the Money
When the trial resumed Tuesday morning, Agent O'Neil took the stand
for the second day, and laid out a summary of Duronio's trading
activity that he had put together based on the defendant's banking,
trading and mortgage information. He testified that Duronio bought a
total of 330 put options in the month before the security attack at
UBS. He had bought stocks before, but never puts, which basically are
a way to place bets that the company's stock will go down. The
investor only gets a payoff if the company stock drops.
Duronio, according to Agent O'Neil, spent $23,025,12 on puts between
Feb. 5, 2002 and March 1, 2002. While he bought a handful of puts on
other companies, like Merrill Lynch and Citigroup, 96% of them were
against UBS.
The agent also pointed out to the jury that Duronio, who allegedly
became disgruntled with the company when his annual bonus came in
$15,000 under expectations, had recently made two payments of
approximately $18,000 each to New York University for his oldest son's
tuition.
Hackers and Pseudonyms
During the cross, Adams lost no time in taking another swing at
@Stake, the first company on scene to do a forensics investigation.
Last week, Adams repeatedly asked witnesses from UBS' IT department if
they trusted hackers or would hire a security company that employs
hackers.
The research labs in @Stake, which was bought by Symantec, Corp. in
2004, were headed up by Peiter C. Zatko (also known in the industry as
Mudge), the former CEO and chief scientist of the L0pht, a
high-profile hacker think tank. Zatko, however, worked his way into
the legitimate business world, testifying before a Senate Committee on
Government Affairs, and counseling President Clinton in the White
House on security issues.
Mendez testified that other Wall Street firms had recommended several
forensic companies, including @Stake, to UBS after their servers were
taken down.
In Tuesday's testimony, Agent O'Neil said he had received 10 items of
evidence from Kasper (John Tan), who worked at @Stake and was involved
in the UBS investigation. Adams projected a Documentation of Evidence
sheet onto a screen in front of the jurors that showed that Kasper had
signed his name as 'John Tan' on the official list that was handed
over to the government. He also had signed another Certified Inventory
of Evidence document with that name.
O'Neil said he had not been aware until late in 2004 or early in 2005
that John Tan actually is the screen name for Karl Kasper.
''He lied to you about the most basic information,'' Adams said. But
during repeated questioning about it, O'Neil replied, ''He used John
Tan to identify himself in his work at @Stake A fictitious name
doesn't affect what's in the evidence itself.'' But in a separate
interview, Johannes Ullrich, chief research officer at the SANS
Institute, said he was surprised that Kasper would use a nickname or
pseudonym when working with federal agents.
''I've never heard of that before,'' said Ullrich. ''A lot of people
go by hack names but to use it during an investigation, I wouldn't do
it. If you talk to the Secret Service, or to any client, it's not
professional.''
However, Alan Paller, director of research at the SANS Institute, was
much less surprised by it. In an interview, he said it's very common
for people to use their 'handles' whenever they're in a work-related
situation. ''It's like a woman using her maiden name even after she's
married, because everyone in the office knows her as Brenda Jones,''
said Paller. ''It's the mindset of the black hat community. It was
common to have a second life. You build up your reputation as a
security expert with that second name. It's quite natural that he used
his second name because that's the name with the security credibility
associated with it.''
Kasper, going by the name John Tan, has spoken at SANS and Black Hat
conferences. In 2005, he took a job with JP Morgan Chase doing
application security assessment/penetration testing.
On the Attack
The defense attorney didn't narrow his field of attack to Kasper.
Adams pointed out that the initial report that @Stake produced was
missing Page 17, but it was included in a later release of the report.
Both O'Neil and the prosecutors took exception to Adams characterizing
the page as having been 'withheld.'
O'Neil said the information on that page was ''forward looking'' and
not pertinent to the criminal investigation.
Page 17, in part, refers to two other UBS employees who had been
investigated. O'Neil said he and other agents interviewed both men for
one to two hours each but there was no evidence of criminal activity.
Then Adams asked if O'Neil knew that both men had been put on
administrative leave after their interviews with law enforcement and
then were let go from the company. O'Neil said he had not been aware
of that till much later.
Adams also asked him if he knew of any severance agreement that
precluded the two men from speaking about the investigation with
anyone outside of UBS or the government. O'Neil replied that he did
not know of any such agreement.
Duronio's defense attorney used the agent's time on the stand, as a
chance to point out that the government does not have reports from
Verizon, which was Duronio's ISP at the time of the attack, for
several dates when forensics showed that the malicious code was being
planted or modified on the company network. Under subpoena, Verizon
had produced records about the dates and times of some connections,
along with the IP addresses where the connections originated.
And Adams pounced on the fact that a latent fingerprint was found on
the hardcopy printout of the malicious code that was found on
Duronio's dresser. The print, O'Neil testified, did not belong to the
defendant or to two agents who handled the paper. He said he doesn't
know whose fingerprint it is.
Copyright ? 2005 CMP Media LLC
From isn at c4i.org Thu Jun 22 03:31:00 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 22 Jun 2006 02:31:00 -0500 (CDT)
Subject: [ISN] Audit finds state computer security needs improvement
Message-ID:
http://www.billingsgazette.net/articles/2006/06/20/news/state/24-computer-audit.txt
By The Associated Press
June 20, 2006
HELENA -- The state computer system building, and the taxpayer
information and other sensitive data it holds, are vulnerable to
security breaches, legislative auditors told lawmakers Tuesday.
The audit came one day after the state computer system's second
failure in less than a month.
The computer system for much of state government, including servers
and key network systems, is housed in the basement of a 60-year-old
building that is not completely secure, legislative auditors said.
The computer systems are behind a door that requires an access
keycard, but the wall does not extend to the ceiling, the audit said.
Legislative Audit Division staff said the computer center relies on
"security through obscurity."
State Chief Information Officer Dick Clark said his staff has
developed a series of quick deadlines to meet improvements suggested
by the auditors. The governor's office also has talked about
constructing a new building for the computer system.
Lawmakers said the lack of security is a big problem because state
computers warehouse a lot of sensitive data, including complete
records on taxpayers and others.
"I think this is some pretty serious stuff," said Rep. Dee Brown,
R-Hungry Horse.
Clark said his agency also is reviewing the credentials given to
people who have access to the computer system's location.
Auditors made a number of suggestions, including the need for a better
inventory of all the systems and data in the computer center, more
intense security precautions, and strengthened safeguards to mitigate
risks associated with earthquakes or flooding in the building's
basement.
The shutdown of the computer system on Monday had nothing to do with
security.
The system shut itself down after a fire alarm went off in the
building and fire extinguishers released a chemical to suck oxygen
from the air. The equipment was brought back on line late in the
afternoon.
In late May, most of the state computer system went down for a day
when a major piece of network equipment failed.
Copyright ? The Billings Gazette
From isn at c4i.org Fri Jun 23 15:38:23 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 23 Jun 2006 14:38:23 -0500 (CDT)
Subject: [ISN] REVIEW: "The CISO Handbook",
Mike Gentile/Ron Collette/Tom August
Message-ID:
Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah"
BKCISOHB.RVW 20060520
"The CISO Handbook", Mike Gentile/Ron Collette/Tom August, 2006,
0-8493-1952-8, U$69.95/C$89.95
%A Mike Gentile
%A Ron Collette
%A Tom August
%C 920 Mercer Street, Windsor, ON N9A 7C2
%D 2006
%G 0-8493-1952-8
%I Auerbach Publications
%O U$69.95/C$89.95 800-950-1216 auerbach at wgl.com orders at crcpress.com
%O http://www.amazon.com/exec/obidos/ASIN/0849319528/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0849319528/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0849319528/robsladesin03-20
%O Audience i Tech 1 Writing 2 (see revfaq.htm for explanation)
%P 322 p.
%T "The CISO Handbook: A Practical Guide to Securing Your Company"
The introduction states that there are generally two kinds of books on
the security shelf--the "hack to secure" tomes and the exam
preparation guides. (It may sometimes seem like the literature is
restricted to those kinds of texts, although I would add a third that
seems to be all too prevalent: poorly executed security management
works. However, I fully sympathize with the authors' disdain for the
"hacking" books, as well as their reasoning of the limited value of
such manuals.) The authors also describe a standard structure for
each chapter, as well as an overall design of the publication,
following a fairly standard project management framework.
Chapter one covers assessment. While this may not be a big surprise
to those with the slightest familiarity with project management
fundamentals, the authors provide a very complete description of the
information that will be useful in appraising any situation in which
you may find yourself. (The writing is generally clear and easy
enough to read, but the point of the examples and illustrations is not
always obvious or even intelligible. In some cases it seems the
desire to entertain has overwhelmed exegetical utility.) A very
complete checklist is given at the end of the chapter. Planning, in
chapter two, does not fare as well. Much of the material reiterates
the importance of obtaining information, or outlines organizational
structures, personnel, and skills. (Rather ironically, the
recommendations assume a fairly large corporation, budget, and staff,
which was one of the complaints the authors made, in the introduction,
about other security books.) Design is a difficult project to nail
down, but chapter three doesn't really even try. Various aspects of
security management, such as policy components, promotion to the rest
of the company, and security reviews, are the major substance dealt
with (some of the topics multiple times). Project management is
covered in chapter four. Very detailed and complete project
management, directed at creating a specific design and implementation,
but applicable to any kind of project. (It is somewhat telling that
the end-of-chapter checklists, which have been getting shorter, vanish
entirely here.) Since the overall thread of the book has been to move
through the phases of a large project, one could expect that the title
of chapter five, "Reporting," refers to a report back to management on
progress or completion. Not so: marketing of security to the
enterprise, which has been a thread all the way through the book, now
gets a chapter all its own. Chapter six repeats the outline of the
book we received in the introduction.
A work addressed to the CISO (Chief Information Security Officer) can
be expected to be primarily concerned with management issues.
However, with the exception of chapter one, very little in the book
could not be equally applicable to any C-level executive. (It is
interesting to note that, of the references, only two deal with
security, twenty-seven are business books.) Indeed, even though
Charles Sennewald wrote "Effective Security Management" (cf.
BKEFSCMN.RVW) for those dealing with physical security, there is more
practical advice for senior information security management in it than
in "The CISO Handbook."
While the authors have outlined definite structures for the chapters,
these patterns are not always easy to determine or follow. I
frequently found myself lost in the chapters, and while I could
eventually realize where I was in the formation, the inconsistency and
multiplicity of header formats certainly did not help matters any.
Still, the work does have significant value. Those who rise through
the ranks of computer security frequently lack management experience
and knowledge, and this addresses, in some detail, the necessary
skills. Not as directly, perhaps, as Fred Cohen in the "Governance
Guidebook" (cf. BKCISOGG.RVW), but usefully nonetheless.
copyright Robert M. Slade, 2006 BKCISOHB.RVW 20060520
====================== (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org
The brain is a mass of cranial nerve tissue, most of it in mint
condition. - Robert Half
Dictionary Information Security www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm
From isn at c4i.org Fri Jun 23 15:38:37 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 23 Jun 2006 14:38:37 -0500 (CDT)
Subject: [ISN] Secunia Weekly Summary - Issue: 2006-25
Message-ID:
========================================================================
The Secunia Weekly Advisory Summary
2006-06-15 - 2006-06-22
This week: 69 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single
vulnerability report is being validated and verified before a Secunia
advisory is written.
Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.
As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.
Secunia Online Vulnerability Database:
http://secunia.com/
========================================================================
2) This Week in Brief:
Two vulnerabilities have been discovered in Microsoft Windows and
Microsoft Excel, which can be exploited to compromise a vulnerable
system.
The first SA20686 has, according to Microsoft, already been used in
targeted "Zero-day" attacks against a few companies.
Currently, no patches are available from Microsoft. Please refer to
the referenced Secunia advisories below for additional details.
References:
http://secunia.com/SA20686
http://secunia.com/SA20748
--
A vulnerability has been discovered in WinAmp, which potentially can
be exploited by malicious people to compromise a user's system.
An updated version has been released by the vendor that fixes this
vulnerability.
Reference:
http://secunia.com/SA20722
--
VIRUS ALERTS:
During the past week Secunia collected 224 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA20686] Microsoft Excel Repair Mode Code Execution Vulnerability
2. [SA20748] Microsoft Office Long Link Buffer Overflow Vulnerability
3. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability
4. [SA20595] Microsoft Internet Explorer Multiple Vulnerabilities
5. [SA20576] Adobe Reader Unspecified Vulnerabilities
6. [SA20699] Cisco Secure ACS for Unix Cross-Site Scripting
Vulnerability
7. [SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability
8. [SA15601] Mozilla / Mozilla Firefox Frame Injection Vulnerability
9. [SA15779] Sendmail Multi-Part MIME Message Handling Denial of
Service
10. [SA20661] Horde Cross-Site Scripting Vulnerabilities
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA20748] Microsoft Windows Hyperlink Object Library Buffer Overflow
[SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability
[SA20721] ASP Stats Generator SQL Injection and Code Injection
[SA20719] Hitachi Products MDAC RDS.Dataspace ActiveX Vulnerability
[SA20756] MAILsweeper for SMTP/Exchange Multiple Vulnerabilities
[SA20752] Maximus SchoolMAX "error_msg" Parameter Cross-Site Scripting
[SA20743] Hosting Controller Privilege Escalation Vulnerability
[SA20698] SSPwiz Plus "message" Cross-Site Scripting Vulnerability
UNIX/Linux:
[SA20710] SUSE update for awstats
[SA20709] Gentoo update for mozilla-thunderbird
[SA20708] Gentoo update for typespeed
[SA20766] SUSE Updates for Multiple Packages
[SA20716] Ubuntu update for kernel
[SA20715] Trustix update for libtiff
[SA20712] Ubuntu update for mysql-dfsg
[SA20703] Linux Kernel "xt_sctp" Denial of Service Vulnerability
[SA20694] Mandriva update for sendmail
[SA20693] Mandriva update for libtiff
[SA20690] Gentoo update for pam_mysql
[SA20692] Mandriva update for spamassassin
[SA20750] Debian update for horde2
[SA20734] CHM Lib "extract_chmLib" Directory Traversal Vulnerability
[SA20699] Cisco Secure ACS for Unix Cross-Site Scripting Vulnerability
[SA20754] dhcdbd DHCP Message Handling Denial of Service
[SA20702] Mandriva update for kdebase
[SA20729] NetPBM pamtofits Off-By-One Buffer Overflow Vulnerability
[SA20711] HP-UX Support Tools Manager Denial of Service Vulnerability
Other:
[SA20726] FortiMail Sendmail Multi-Part MIME Message Handling
Vulnerability
[SA20720] FortiGate FTP Anti-Virus Scanning Bypass Vulnerability
Cross Platform:
[SA20771] Ralf Image Gallery File Inclusion Vulnerabilities
[SA20769] SmartSiteCMS "root" File Inclusion Vulnerability
[SA20768] BandSite CMS "root_path" File Inclusion Vulnerabilities
[SA20758] Micro CMS "microcms_path" Parameter File Inclusion
Vulnerability
[SA20744] Ad Manager Pro "ipath" Parameter File Inclusion
Vulnerability
[SA20733] easy-CMS Multiple File Extensions Vulnerability
[SA20731] Eduha Meeting PHP File Upload Vulnerability
[SA20713] CMS Faethon "mainpath" File Inclusion and Cross-Site
Scripting Vulnerabilities
[SA20695] Bitweaver Multiple Vulnerabilities and Weakness
[SA20772] Invision Power Board Hexadecimal HTML Entities Script
Insertion
[SA20763] IMGallery "galerie.php" SQL Injection Vulnerabilities
[SA20761] Ultimate Estate Cross-Site Scripting and SQL Injection
[SA20753] BtitTracker "torrents.php" SQL Injection Vulnerabilities
[SA20747] thinkWMS Multiple SQL Injection Vulnerabilities
[SA20746] Joomla! "Name" SQL Injection Vulnerability
[SA20745] Mambo "Name" SQL Injection Vulnerability
[SA20740] phpTRADER SQL Injection Vulnerabilities
[SA20739] xarancms "id" Parameter SQL Injection Vulnerability
[SA20738] tplShop "first_row" Parameter SQL Injection Vulnerability
[SA20732] IBM WebSphere Application Server Multiple Vulnerabilities
[SA20730] VUBB SQL Injection and Cross-Site Scripting Vulnerabilities
[SA20727] e107 Cross-Site Scripting and Script Insertion
[SA20724] singapore "template" Parameter Local File Inclusion
Vulnerability
[SA20706] Clubpage Cross-Site Scripting and SQL Injection
Vulnerabilities
[SA20705] Free Realty "sort" SQL Injection Vulnerability
[SA20704] Open-Realty "sorttype" SQL Injection Vulnerability
[SA20701] VBZooM "QuranID" SQL Injection Vulnerability
[SA20700] Groupmax Address/Mail Server Denial of Service Vulnerability
[SA20696] Virtual War "war.php" SQL Injection Vulnerabilities
[SA20767] Atlassian JIRA Enterprise Edition Cross-Site Scripting
Vulnerability
[SA20764] myPHP Guestbook Cross-Site Scripting Vulnerabilities
[SA20742] UltimateGoogle "REQ" Cross-Site Scripting Vulnerability
[SA20737] Ultimate eShop "subid" Cross-Site Scripting Vulnerability
[SA20736] Tradingeye Shop "image" Cross-Site Scripting Vulnerability
[SA20735] Cisco CallManager Web Interface Cross-Site Scripting
Vulnerabilities
[SA20728] Confixx Pro Cross-Site Scripting Vulnerabilities
[SA20725] AssoCIateD "menu" Cross-Site Scripting Vulnerability
[SA20718] phpMyDirectory Cross-Site Scripting Vulnerabilities
[SA20697] iPostMX 2005 "RETURNURL" Cross-Site Scripting
Vulnerabilities
[SA20691] NC LinkList "index.php" Cross-Site Scripting Vulnerabilities
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA20748] Microsoft Windows Hyperlink Object Library Buffer Overflow
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-20
kcope has discovered a vulnerability in Microsoft Windows, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20748/
--
[SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-21
BassReFLeX has discovered a vulnerability in WinAmp, which potentially
can be exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20722/
--
[SA20721] ASP Stats Generator SQL Injection and Code Injection
Critical: Highly critical
Where: From remote
Impact: Manipulation of data, System access
Released: 2006-06-19
Hamid Ebadi has reported two vulnerabilities in ASP Stats Generator,
which can be exploited by malicious people to conduct SQL injection
attacks and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20721/
--
[SA20719] Hitachi Products MDAC RDS.Dataspace ActiveX Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-20
Hitachi has acknowledged a vulnerability in various products, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20719/
--
[SA20756] MAILsweeper for SMTP/Exchange Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, DoS
Released: 2006-06-21
Some vulnerabilities have been reported in MAILsweeper for
SMTP/Exchange, which can be exploited by malicious people to bypass
certain security restrictions and potentially cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20756/
--
[SA20752] Maximus SchoolMAX "error_msg" Parameter Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-20
Charles H. has reported a vulnerability in Maximus SchoolMAX, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20752/
--
[SA20743] Hosting Controller Privilege Escalation Vulnerability
Critical: Less critical
Where: From remote
Impact: Privilege escalation
Released: 2006-06-20
A vulnerability has been reported in Hosting Controller, which can be
exploited by malicious users to perform certain actions with escalated
privileges.
Full Advisory:
http://secunia.com/advisories/20743/
--
[SA20698] SSPwiz Plus "message" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-16
r0t has reported a vulnerability in SSPwiz Plus, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20698/
UNIX/Linux:--
[SA20710] SUSE update for awstats
Critical: Highly critical
Where: From remote
Impact: Security Bypass, System access
Released: 2006-06-20
SUSE has issued an update for awstats. This fixes a vulnerability and a
security issue, which can be exploited by malicious people to bypass
certain security restrictions or to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20710/
--
[SA20709] Gentoo update for mozilla-thunderbird
Critical: Highly critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, System access
Released: 2006-06-20
Gentoo has issued an update for mozilla-thunderbird. This fixes some
vulnerabilities, which can be exploited by malicious people to bypass
certain security restrictions, conduct cross-site scripting and HTTP
response smuggling attacks, and potentially compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/20709/
--
[SA20708] Gentoo update for typespeed
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-20
Gentoo has issued an update for typespeed. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/20708/
--
[SA20766] SUSE Updates for Multiple Packages
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, DoS, System access
Released: 2006-06-21
SUSE has issued updates for multiple packages. These fix some
vulnerabilities and a weakness, which can be exploited by malicious
people to bypass certain security restrictions, to cause a DoS (Denial
of Service) or potentially to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20766/
--
[SA20716] Ubuntu update for kernel
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Exposure of sensitive information, DoS
Released: 2006-06-19
Ubuntu has released an update for the kernel. This fixes some
vulnerabilities and weaknesses, which can be exploited by malicious,
local users to cause a DoS (Denial of Service), gain knowledge of
potentially sensitive information and bypass certain security
restrictions, and by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20716/
--
[SA20715] Trustix update for libtiff
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-19
Trustix has issued updates for multiple packages. These fix some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20715/
--
[SA20712] Ubuntu update for mysql-dfsg
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-19
Ubuntu has issued an update for mysql-dfsg. This fixes a vulnerability,
which potentially can be exploited by malicious people to conduct SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/20712/
--
[SA20703] Linux Kernel "xt_sctp" Denial of Service Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-20
A vulnerability has been reported in Linux Kernel, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20703/
--
[SA20694] Mandriva update for sendmail
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-16
Mandriva has issued an update for sendmail. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20694/
--
[SA20693] Mandriva update for libtiff
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-16
Mandriva has issued an update for libtiff. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20693/
--
[SA20690] Gentoo update for pam_mysql
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-16
Gentoo has issued an update for pam_mysql. This fixes some
vulnerabilities, which potentially can be exploited by malicious people
to cause a DoS (Denial of Service) or compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20690/
--
[SA20692] Mandriva update for spamassassin
Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2006-06-16
Mandriva has issued an update for spamassassin. This fixes a
vulnerability, which can be exploited by malicious people to compromise
a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20692/
--
[SA20750] Debian update for horde2
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-19
Debian has issued an update for horde2. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20750/
--
[SA20734] CHM Lib "extract_chmLib" Directory Traversal Vulnerability
Critical: Less critical
Where: From remote
Impact: System access
Released: 2006-06-19
A vulnerability has been reported in CHM Lib (chmlib), which
potentially can be exploited by malicious people to compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/20734/
--
[SA20699] Cisco Secure ACS for Unix Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-16
A vulnerability has been reported in Cisco Secure ACS for Unix, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20699/
--
[SA20754] dhcdbd DHCP Message Handling Denial of Service
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2006-06-21
Florian Hackenberger has reported a vulnerability in dhcdbd, which can
be exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20754/
--
[SA20702] Mandriva update for kdebase
Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2006-06-16
Mandriva has issued an update for kdebase. This fixes a vulnerability,
which can be exploited by malicious, local users to gain knowledge of
sensitive information.
Full Advisory:
http://secunia.com/advisories/20702/
--
[SA20729] NetPBM pamtofits Off-By-One Buffer Overflow Vulnerability
Critical: Not critical
Where: From remote
Impact: DoS
Released: 2006-06-20
A vulnerability has been reported in NetPBM, which can be exploited by
malicious people to cause a DoS (Denial of Service) .
Full Advisory:
http://secunia.com/advisories/20729/
--
[SA20711] HP-UX Support Tools Manager Denial of Service Vulnerability
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2006-06-19
A vulnerability has been reported in HP-UX, which can be exploited by
malicious, local users to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20711/
Other:--
[SA20726] FortiMail Sendmail Multi-Part MIME Message Handling
Vulnerability
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2006-06-21
A vulnerability has been reported in FortiMail, which potentially can
be exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20726/
--
[SA20720] FortiGate FTP Anti-Virus Scanning Bypass Vulnerability
Critical: Less critical
Where: From remote
Impact: Security Bypass
Released: 2006-06-21
A vulnerability has been reported in FortiGate, which can be exploited
by malicious people to bypass certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20720/
Cross Platform:--
[SA20771] Ralf Image Gallery File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-21
David "Aesthetico" Vieira-Kurz has discovered a vulnerability in Ralf
Image Gallery (RIG), which can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20771/
--
[SA20769] SmartSiteCMS "root" File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-21
Archit3ct and IR4DEX GROUP have discovered a vulnerability in
SmartSiteCMS, which can be exploited by malicious people to compromise
a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20769/
--
[SA20768] BandSite CMS "root_path" File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-21
Kw3[R]Ln has reported some vulnerabilities in BandSite CMS, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20768/
--
[SA20758] Micro CMS "microcms_path" Parameter File Inclusion
Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-20
CeNGiZ-HaN has discovered a vulnerability in Micro CMS, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20758/
--
[SA20744] Ad Manager Pro "ipath" Parameter File Inclusion
Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-20
Basti has reported a vulnerability in Ad Manager Pro, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20744/
--
[SA20733] easy-CMS Multiple File Extensions Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-19
Liz0ziM has discovered a vulnerability in easy-CMS, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20733/
--
[SA20731] Eduha Meeting PHP File Upload Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-19
Liz0ziM has reported a vulnerability in Eduha Meeting, which can be
exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20731/
--
[SA20713] CMS Faethon "mainpath" File Inclusion and Cross-Site
Scripting Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, System access
Released: 2006-06-19
Some vulnerabilities have been discovered in CMS Faethon, which can be
exploited by malicious people to conduct cross-site scripting attacks
or to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20713/
--
[SA20695] Bitweaver Multiple Vulnerabilities and Weakness
Critical: Highly critical
Where: From remote
Impact: Cross Site Scripting, Exposure of system information,
System access
Released: 2006-06-17
rgod has reported some vulnerabilities and a weakness in Bitweaver,
which can be exploited by malicious people to disclose certain system
information, conduct cross-site scripting attacks, and potentially
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20695/
--
[SA20772] Invision Power Board Hexadecimal HTML Entities Script
Insertion
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-21
A vulnerability has been reported in Invision Power Board, which can be
exploited by malicious people to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20772/
--
[SA20763] IMGallery "galerie.php" SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-21
r0t has reported some vulnerabilities in IMGallery, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20763/
--
[SA20761] Ultimate Estate Cross-Site Scripting and SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-21
r0t has reported some vulnerabilities in Ultimate Estate, which can be
exploited by malicious people to conduct cross-site scripting attacks
and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20761/
--
[SA20753] BtitTracker "torrents.php" SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-20
r0t has reported two vulnerabilities in BtitTracker, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20753/
--
[SA20747] thinkWMS Multiple SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-21
r0t has reported some vulnerabilities in thinkWMS, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20747/
--
[SA20746] Joomla! "Name" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-19
rgod has discovered a vulnerability in Joomla!, which can be exploited
by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20746/
--
[SA20745] Mambo "Name" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-19
rgod has discovered a vulnerability in Mambo, which can be exploited by
malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20745/
--
[SA20740] phpTRADER SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-21
r0t has reported some vulnerabilities in phpTRADER, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20740/
--
[SA20739] xarancms "id" Parameter SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-19
r0t has reported a vulnerability in xarancms, which can be exploited by
malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20739/
--
[SA20738] tplShop "first_row" Parameter SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-19
r0t has discovered a vulnerability in tplShop, which can exploited by
malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20738/
--
[SA20732] IBM WebSphere Application Server Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-06-21
Some vulnerabilities have been reported in IBM Websphere Application
Server, which can be exploited by malicious, local users and malicious
people to gain knowledge of sensitive information.
Full Advisory:
http://secunia.com/advisories/20732/
--
[SA20730] VUBB SQL Injection and Cross-Site Scripting Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data, Exposure of
system information
Released: 2006-06-20
DarkFig has discovered some vulnerabilities in VUBB, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/20730/
--
[SA20727] e107 Cross-Site Scripting and Script Insertion
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-20
Ellipsis Security has discovered two vulnerabilities in e107, which can
be exploited by malicious people to conduct cross-site scripting and
script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20727/
--
[SA20724] singapore "template" Parameter Local File Inclusion
Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2006-06-20
Moroccan Security Research Team has discovered a vulnerability in
singapore, which can be exploited by malicious people to disclose
sensitive information.
Full Advisory:
http://secunia.com/advisories/20724/
--
[SA20706] Clubpage Cross-Site Scripting and SQL Injection
Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-20
r0t has reported some vulnerabilities in Clubpage, which can be
exploited by malicious people to conduct cross-site scripting attacks
and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20706/
--
[SA20705] Free Realty "sort" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-20
r0t has reported a vulnerability in Free Realty, which can be exploited
by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20705/
--
[SA20704] Open-Realty "sorttype" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-20
r0t has discovered a vulnerability in Open-Realty, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20704/
--
[SA20701] VBZooM "QuranID" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-21
CrAzY CrAcKeR has reported a vulnerability in VBZooM, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20701/
--
[SA20700] Groupmax Address/Mail Server Denial of Service Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-20
A vulnerability has been reported in Groupmax Address/Mail Server,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20700/
--
[SA20696] Virtual War "war.php" SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-16
r0t has discovered some vulnerabilities in Virtual War, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20696/
--
[SA20767] Atlassian JIRA Enterprise Edition Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting, Exposure of system information
Released: 2006-06-21
r0t has discovered a vulnerability in Atlassian JIRA Enterprise
Edition, which can be exploited by malicious people to disclose system
information and conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20767/
--
[SA20764] myPHP Guestbook Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-21
Some vulnerabilities have been reported in myPHP Guestbook, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20764/
--
[SA20742] UltimateGoogle "REQ" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-21
r0t has reported a vulnerability in UltimateGoogle, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20742/
--
[SA20737] Ultimate eShop "subid" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-21
r0t has reported a vulnerability in Ultimate eShop, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20737/
--
[SA20736] Tradingeye Shop "image" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-19
r0t has reported a vulnerability in Tradingeye Shop, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20736/
--
[SA20735] Cisco CallManager Web Interface Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-20
FishNet Security has reported some vulnerabilities in Cisco
CallManager, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20735/
--
[SA20728] Confixx Pro Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-19
p0w3r has reported two vulnerabilities in Confixx Pro, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20728/
--
[SA20725] AssoCIateD "menu" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-20
r0t has discovered a vulnerability in AssoCIateD, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20725/
--
[SA20718] phpMyDirectory Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-20
r0t has reported two vulnerabilities in phpMyDirectory, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20718/
--
[SA20697] iPostMX 2005 "RETURNURL" Cross-Site Scripting
Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-16
r0t has reported some vulnerabilities in iPostMX 2005, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20697/
--
[SA20691] NC LinkList "index.php" Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-20
r0t has reported some vulnerabilities in NC LinkList, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20691/
========================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Subscribe:
http://secunia.com/secunia_weekly_summary/
Contact details:
Web : http://secunia.com/
E-mail : support at secunia.com
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45
From isn at c4i.org Fri Jun 23 15:38:50 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 23 Jun 2006 14:38:50 -0500 (CDT)
Subject: [ISN] Security breach report comes out, recommends suspensions
Message-ID:
http://thepost.baker.ohiou.edu/articles/2006/06/22/news/14120.html
Sean Gaffney
skatripp at gmail.com
June 22, 2006
Ohio University suspended two administrators and created a new
position at the recommendation of a network security report Tuesday.
The university suspended - Tom Reid, director of Communication Network
Services and Computer Services and - Todd Acheson, manager of Internet
and Systems, until a disciplinary investigation is completed according
to a university news release. Both men will still be paid while on
suspension.
At a later date, Reid and Acheson will have a chance to respond to the
findings prior to the university's final determination, which could
include termination, according to the news release.
Two independent consultants have been brought in to temporarily manage
the Central Information Technology Management Team, according to the
release.
The report follows a three-week comprehensive analysis of the network
security breaches conducted by Moran Technology Consulting of
Naperville, Ill. The audit analyzed the department and employees,
searching for negligence or faults that contributed to the security
breaches, according to the release.
A new position, Chief of Staff to the Chief Information Officer has
been created and national search has been launched to fill the
position, according to the release. - Bill Sams is presently the
chief information officer and associate provost for information
technology.
As a result of the report, the Information Technology departments will
be restructured to establish "clear roles, responsibilities, and
accountabilities," according to the release.
Two departments, CNS and Computer Services, were already combined to
ease unnecessary competition and friction that contributed to
department malfeasance. Unnecessary competition between the
departments resulted in negligence, Sams has said in previous
interviews.
OU President - Roderick McDavis is working with university officials
and others to solve the problem.
"I am angry and embarrassed by the computer security system lapses
that were undetected before my time as leader of the university,"
McDavis said the release.
McDavis decreased the IT budget by $1 million since taking office in
2004. There was a 3 percent reduction in the IT budget last year, and
as a 12 percent reduction was being implemented this year, the
security breaches were detected, said university spokesman - Jack
Jeffery.
That was "part of the standard reductions made across the university,"
during 2006 fiscal year, Jeffery said. "We wanted to make sure we
weren't cutting from the academic programs," he added.
Sams has previously said that the university has a reached a critical
point in budget cuts and will need to replace funds in the IT budget.
Next week, McDavis will request that the OU Board of Trustees
"authorize up to $2 million to invest in securing information
technology systems," according to the release.
The total cost to recover from the security breaches will be millions
of dollars, Sams said.
Since April 21, 365,000 personal identities have been compromised in
security breaches at Ohio University.
The latest breach was detected on a university computer that housed
IRS 1099 tax forms for 2,480 vendors and independent contractors who
worked for the university between 2004 and 2005, according to the
university's Web site. The university also discovered that a computer
hosting a "variety of Web-based forms" that included class lists
containing the social security numbers of about 4,900 current and
former students had been accessed.
The data is fragmentary and it is not certain if the compromised
information can be traced to individuals, according to the
university's Web site.
Employees, students, alumni and contractors have been urged to monitor
credit reports and request fraud watches be placed on their report.
About 24 people have expressed to the university that they have been
victims of identity theft in the past year, according to an Associated
Press article.
Copyright ? 2006 The Post
From isn at c4i.org Fri Jun 23 15:39:04 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 23 Jun 2006 14:39:04 -0500 (CDT)
Subject: [ISN] Wireless piggybacking lands man in trouble
Message-ID:
http://www.katu.com/stories/87037.html
By Dan Tilkin
and KATU.com Web Staff
June 21, 2006
VANCOUVER, Wash. - Brewed Awakenings, with its pithy name, artful
drinks and wireless Internet service, has found itself unexpectedly
percolating on the forefront of high-tech law.
"He doesn't buy anything," Manager Emily Pranger says about the man
she ended up calling 911 about. "It's not right for him to come and
use it."
Pranger says 20-year-old Alexander Eric Smith of Battle Ground sat in
the parking lot in his truck for three months, spending hours at a
time piggybacking on the coffee shop's wireless Internet service for
free.
When deputies told Smith to knock it off, he came back and is now
charged with theft of services.
"It's a repetitive occurrence and it's something that is borderline
creepy," says Pranger.
As it turns out, Smith is a Level One Sex Offender, but whether he in
fact committed a crime by not buying a single tall latte before
accessing the Internet, well that remains to be seen. The sheriff's
office and prosecutors are now reviewing the case.
Eric Gardner is a paying customer at Brewed Awakenings and he agreed
to demonstrate how easy it is to pick off wireless signals.
"I can stop at a stop light and it (my laptop) may automatically log
on to somebody's Internet access and check my e-mail for me," he says.
On a random neighborhood street in Vancouver, a KATU News laptop
detected 11 networks, five of which were unsecured, meaning anyone
could log on to them for free.
The way to protect yourself is to change your wireless router settings
to only allow the computers in your home to access your airwaves.
From isn at c4i.org Fri Jun 23 15:39:14 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 23 Jun 2006 14:39:14 -0500 (CDT)
Subject: [ISN] FTC attorney's laptops stolen
Message-ID:
http://www.presstelegram.com/business/ci_3969575
By Hope Yen
Associated Press
06/22/2006
WASHINGTON -- The government agency charged with fighting identity
theft said Thursday it had lost two government laptops containing
sensitive personal data, the latest in a series of breaches
encompassing millions of people.
The Federal Trade Commission said it would provide free credit
monitoring for 110 people targeted for investigation whose names,
addresses, Social Security numbers and in some instances, financial
account numbers were taken from an FTC attorney's locked car.
The car theft occurred about 10 days ago. Many of the people whose
data were compromised were being investigated for possible fraud and
identity theft, said Joel Winston, associate director of the FTC's
Division of Privacy and Identity Theft Protection.
The disclosure comes amid a widening data breach that is expected to
cost the government hundreds of millions of dollars. In all, five
government agencies have reported data theft, including the Veterans
Affairs Department, which on May 22 acknowledged losing data on up to
26.5 million veterans.
Among them:
At the Agriculture Department, a hacker who broke into the computer
system, obtaining names, Social Security numbers and photos of 26,000
Washington-area employees and contractors.
At Health and Human Services, personal information for nearly 17,000
Medicare beneficiaries may have been compromised in April when an
insurance company employee called up the data through a hotel computer
and failed to delete the file.
At Energy, Social Security numbers and other data for nearly 1,500
people working for the National Nuclear Security Administration may
have been compromised when a hacker gained entry to its computer
system last fall.
On Thursday, a House panel was cautioned that credit monitoring alone
may not be enough to protect Americans whose names, birth dates and
Social Security numbers were compromised at the hands of the
government.
During the House hearing Thursday, Mike Cook, a co-founder of a
company specializing in data breaches, said identity-theft victims
typically don't become aware they've been hurt until six months after
their data was stolen, when creditors come calling for money owed.
At that point, it's likely the thieves will have moved on having made
just a few purchases so they don't attract notice and started using
another victim's information.
As a result, a credit monitoring service would raise a red flag after
it was too late, Cook said. He said data analysis technology was
available to help identity theft as it occurs, particularly in the
typical cases in which thieves use stolen identities to fraudulently
obtain credit cards and then make purchases.
Associated Press writer Libby Quaid contributed to this report.
From isn at c4i.org Fri Jun 23 15:39:29 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 23 Jun 2006 14:39:29 -0500 (CDT)
Subject: [ISN] Microsoft swims upstream on security
Message-ID:
http://news.com.com/Microsoft+swims+upstream+on+security/2100-7355_3-6086967.html
By Joris Evers
Staff Writer, CNET News.com
June 22, 2006
Microsoft's security ambitions don't stop with the consumer. The
company also has an eye on the multibillion-dollar enterprise security
market.
Now that it's launched the Windows Live OneCare security service for
consumers, Microsoft is ramping up its efforts to convince businesses
that it is the solution to, not the source of, their security woes.
The Redmond, Wash., company last week unveiled Forefront, a single
brand that encompasses updated and upcoming security products aimed at
businesses.
The moves are part of Microsoft's attempt to expand its business and
tap new revenue sources, analysts said. Last year, security software
sales hit $12 billion, according to research firm IDC. On the
enterprise side, Yankee Group expects the Windows client security
software market to grow to $3.6 billion this year.
"They are in it for the money, of course," said Andrew Jaquith, an
analyst at Yankee Group. "Microsoft initially was very mysterious
about its security plans. But its steady drumbeat of announcements
over the last months shows intent to be a very broad enterprise
security player."
Under the Forefront plan, the brand-new Microsoft Client Protection
product, now in development, will be sold as Forefront Client Security
for PCs and servers. In addition, updates of Antigen for Exchange and
Antigen for SharePoint will also carry the Forefront tag, Microsoft
said. Antigen for Instant Messaging and the ISA Server firewall and
Web caching software are also in the Forefront group.
"We're going to provide a comprehensive set of security technologies
for businesses that is integrated with their existing infrastructure,
with an emphasis on the deployment, management and ongoing usability,"
said Steve Brown, the director of product management in the security,
access and solutions division at Microsoft.
As far as motivation goes, Microsoft sees its entry into the security
fray as a "very broad opportunity" for itself and for its customers,
Brown said. "The primary reason we're doing this is that there is
clearly a customer need for this approach," he said.
Companies such as McAfee, Symantec, Trend Micro and Computer
Associates have long demonstrated that there's money to be made in
protecting Windows systems. For Microsoft, it's simpler to create
security add-ons than to build security into its products, an approach
that would also make it harder for the company to make extra money, at
least one analyst said.
"This is a rather safe play," said Charles Kolodgy, an analyst at IDC.
"It is easier than building the security into products and not being
able to directly capture revenue. And if their security product line
doesn't work, they can leave the market."
Microsoft has gradually built up its security muscle in recent years
through numerous acquisitions. It bought antivirus specialist GeCAD,
anti-spyware maker Giant Company Software and Sybari Software, maker
of the Antigen products. Its lineup also includes hosted e-mail
security services, picked up through the takeover of FrontBridge
Technologies.
Most recently, the company gobbled up Whale Communications, a
specialist in secure remote access and Web application firewalls. Last
October, it announced it would sell security software for business PCs
and servers. The new product, now called Forefront Client Security, is
due for release in the second quarter of next year.
In catch-up mode
While it's bound to attract some business for its new products right
away, Microsoft has some work to do to become a formidable competitor
in the security area. That's especially true when it comes to
enterprise client security, analysts said.
"They will get some market share just for being Microsoft," Burton
Group analyst Dan Blum said. "To take a majority position, they need
to establish a product that is functionally on par with, or pretty
close to, the likes of McAfee and Symantec," he said, adding that this
likely won't happen until 2008 or 2009.
Symantec, which provides a range of products aimed at protecting
corporate networks and systems, said Thursday that it's ready for any
competition from Microsoft.
"With a level playing field, all the vendors in the security space
will compete for mind share, based on what enterprise customers
believe to be the best product to suit their needs," a representative
of the security software maker said. "Symantec has been the leading
provider of effective protection against viruses and other malicious
threats for more than 15 years."
The main obstacle facing Microsoft is customer distrust. "There are
certain customers that don't trust them because of their previous
track record," Yankee Group's Jaquith said.
The software maker has invested heavily in security over the past
years. Despite this, most malicious software targets Microsoft
products, and the company still deals with lots of security holes.
Last week, for example, it issued 12 security bulletins with fixes for
21 vulnerabilities--the largest number ever for its monthly "Patch
Tuesday" updates.
"You're in one camp or another with them," Jaquith said. Either
businesses are very loyal customers and are rooting for Microsoft, or
they feel they were burned by the company and simply don't trust it,
he said.
And there are those who feel the software giant is trying to turn
lemons into lemonade with its move into the security fray.
"The idea of Microsoft coming up with antivirus software is a sham,"
said Frank Seichal of Old Bridge, N.J., who works in IT at a financial
institution. "Why should I purchase software from Microsoft to stop
the operating system vulnerabilities created by Microsoft? I can not
believe Microsoft is getting away with this."
Another factor to overcome are the high-quality products sold by
incumbent security vendors. McAfee, for example, has earned high marks
from its customers with the ePolicy Orchestrator, a central security
management tool, Jaquith said.
"Microsoft needs to prove reliability, stability and predictability.
They need some success stories," Jaquith said. "Just saying that
they're better integrated and that they make the operating system is
not going to cut it."
In its Forefront documentation, Microsoft promises products that work
well together and with existing IT systems. Additionally, the software
will be simple to install and can be centrally managed, it says.
However, they will protect only Microsoft software and not Linux
servers or SAP applications, for example.
"That is perhaps their greatest disadvantage," Blum said. "They tend
to have this somewhat myopic strategy centered around their own
products and ignoring other products, even those that run on Windows."
Rivals and regulators
Antitrust concerns also lurk. Microsoft may promote Forefront products
as better integrated, but if it has used hooks into its operating
system that are kept secret from rivals, regulators might be all over
the software giant, analysts said.
n fact, some small Microsoft competitors are already complaining about
the company's security pricing strategy. In a blog posting this week,
Alex Eckelberry, president of Clearwater, Fla.-based anti-spyware
toolmaker Sunbelt Software, said Microsoft is engaging in predatory
pricing with its OneCare and Antigen products.
By undercutting its rivals on price, Microsoft is pushing the
competition out of business, after which it will increase its prices,
Eckelberry wrote.
Jaquith dismissed that complaint. "I think they are being creative and
aggressive, but I don't think they are being predatory. There is
plenty of room for pricing innovation in this space," he said.
It was about time that Microsoft fleshed out its security strategy and
shared it with the public, Jaquith said. "Finally we're hearing what
they are doing," he said. "It is a 'damn the torpedoes, full speed
ahead' strategy."
Copyright ?1995-2006 CNET Networks, Inc. All rights reserved.
From isn at c4i.org Fri Jun 23 15:39:48 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 23 Jun 2006 14:39:48 -0500 (CDT)
Subject: [ISN] Forensics Expert Attempts To Link UBS Attack And Defendant
Message-ID:
http://www.informationweek.com/management/showArticle.jhtml?articleID=189600779
By Sharon Gaudin
InformationWeek
June 22, 2006
Newark, N.J. - The government's forensics expert in the ongoing UBS
computer sabotage trial testified Thursday that he not only found the
malicious code that took down about 2,000 of UBS PaineWebber's servers
four years ago, but he also "directly linked" it back to the
defendant's home computer.
Keith Jones, director of computer forensics and incident response at
Mandiant, an information security company, testified that he found the
trigger mechanism for the logic bomb installed on machines across the
company's national network, and that he connected defendant Roger
Duronio's user name and home computer directly to its creation,
modification, distribution and execution.
Duronio, a former systems administrator for UBS, is facing four
federal, criminal charges in connection with the March 4, 2002 attack
that took the company's brokers offline for a day to three weeks. The
attack cost the company $3.1 million in cleanup costs alone.
Jones explained to the jury how he began hunting for the trigger code
and how it worked. Answering questions from Assistant U.S. Attorney
Mauro Wolfe, Jones said the government brought him in to work on the
case a little more than a year after the incident, and he immediately
started searching for files and pieces of code associated with the
logic bomb.
"I started with a clean slate," said Jones, who has 10 years of
computer forensics experience. "A lot of times a company doesn't know
what's going on. They're in a 'let's get things back up and running'
mode. I came in to find out what was happening in the system."
Early on in his testimony, Jones testified about conclusions that he
reached after his three-year investigation into the UBS incident. As
the government flashed accompanying slides on a screen for the jury,
the witness said he found the 25 lines of the bomb's timer on two of
Duronio's home computers, which the U.S. Secret Service had seized
from his house. He also said the hardcopy printout of the code that
federal agents found on Duronio's bedroom dresser was an exact match
for what was in the computers.
Next, Jones said the code caused the massive file deletion that took
down the network. The forensic exam, he added, also revealed that the
timer for the logic bomb, which Jones dubbed "the Duronio Trigger,"
was distributed and intentionally installed on the company's main host
server, as well as on servers in approximately 370 branch offices.
Finally, Jones, who has written his own open-source forensics tools,
said he concluded that Duronio's user name and home computers were
"directly linked" to the building of the logic bomb and to its
presence on UBS's nationwide Unix-based network.
Jones had to explain, to a jury of technical laymen, the basics of
computer code and forensics, source code, binary code, and compilers.
Jones has 10 years experience as a forensics examiner, and has worked
on Unix since he was 16. He holds three college degrees, including a
bachelors in computer engineering and a masters in electrical
engineering. A former systems administrator himself, he also has
written three books, including Real Digital Forensics and The
Anti-Hacker Toolkit.
The defense maintains that the government focused its investigation on
the wrong man. Duronio's attorney has said UBS erred when hiring
@Stake, the first forensics team on the case, because the firm
employed well-known hackers. And Duronio's team also criticized the
Secret Service and how agents handled evidence and other interviews.
Recovery Costs
Earlier in the day, the prosecution put Nancy Bagli, an assistant vice
president with UBS, on the stand.
Bagli, who has been with UBS since 1997, worked in the company's
Contract and Sourcing department at the time of the 2002 attack. She
testified that she worked with group managers to figure out what they
needed for hardware and services to recover from the attack. She also
kept track of what UBS spent on the cleanup.
UBS spent $898,780 on hardware, including IBM and Sun Microsystems
servers; $260,473 on investigative services; and $1,987,036 on
technical consultants, who mainly were from IBM and went out to help
bring the branch offices back up. The company bought refurbished
equipment if they could get it faster than new, Bagli said
That adds up to a total of $3,146,289 spent on recovery costs alone.
UBS has never reported the price of down business time.
The trial is nearing the end of its third week. Jones is the
prosecution's last witness and will take the stand again Friday
morning. The defense will present its own slate of witnesses starting
next week.
From isn at c4i.org Tue Jun 27 01:26:42 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 27 Jun 2006 00:26:42 -0500 (CDT)
Subject: [ISN] REVIEW: "How to Break Web Software",
Mike Andrews/James A. Whittaker
Message-ID:
Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah"
BKHTBWSW.RVW 20060520
"How to Break Web Software", Mike Andrews/James A. Whittaker, 2006,
0-321-36944-0, U$34.99/C$46.99
%A Mike Andrews Mike.Andrews at foundstone.com
%A James A. Whittaker jw at cs.fit.edu
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D 2006
%G 0-321-36944-0
%I Addison-Wesley Publishing Co.
%O U$34.99/C$46.99 416-447-5101 800-822-6339 bkexpress at aw.com
%O http://www.amazon.com/exec/obidos/ASIN/0321369440/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0321369440/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0321369440/robsladesin03-20
%O Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P 219 p. + CD-ROM
%T "How to Break Web Software"
The preface stresses that this book is neither about how to attack a
Web site, nor how to develop one, but, rather, how to test.
Chapter one points out that the Web is a different environment, in
terms of software security, because we have desktop machines, not
centrally administered, talking to everyone (with much of the traffic
being commercial in nature). The authors even point out that issues
of error-handling, performance, and ease-of-use all contribute to
increased levels of vulnerability. Various attacks designed to obtain
information about Web applications, structure, and functions are
described in chapter two. For client-side scripting, chapter three
notes, any validation done on the client should be untrusted and re-
validated on the host, since it may be altered on the client, or data
manually entered as if it came from the client. Chapter four explains
the danger of using client-side data (cookies or code) for state
information. Chapter five examines user supplied data, and delves
into cross-site scripting (XSS, the explanation of which is not well
done), SQL (Standard Query Language) injection, and directory
traversal. Language-based attacks, in chapter six, involve buffer
overflows (which are not explained terribly well), canonicalization
(HTML and Unicode encoding and parsing), and null string attacks. The
server, with utilities and the underlying operating system, can be
reached via stored procedures (excessive functionality), fingerprinted
for other attempts, or subject to denial of service (in limited ways)
as chapter seven notes. "Authentication," in chapter eight, is really
more about encryption: the various false forms (encryption via
obscurity?), brute force attacks against verification systems, and
forcing a system to use weak encryption. Privacy, and related Web
technologies (of which cookies are only one), is reviewed in chapter
nine. Chapter ten looks at Web services, and the vulnerabilities
associated with some of these systems.
The CD-ROM included with the book contains a number of interesting and
useful tools for trying out the various attacks and tests mentioned in
the text.
This book is a valuable addition to the software security literature.
The attacks listed in the work are known, but often by name only.
This text collects and explains a wide variety of Web application
attacks and weaknesses, providing developers with a better
understanding of how their programs may be assailed. Some of the
items mentioned are defined or explained weakly, but these are usually
items that do have good coverage in other security works.
copyright Robert M. Slade, 2006 BKHTBWSW.RVW 20060520
====================== (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org
If a man is called to be a streetsweeper,
he should sweep streets even as Michelangelo painted,
or Beethoven composed music, or Shakespeare wrote poetry.
He should sweep streets so well that all the hosts of
heaven and earth will pause to say,
here lived a great streetsweeper
who did his job well. - Martin Luther King Jr.
Dictionary Information Security www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm
From isn at c4i.org Tue Jun 27 01:27:34 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 27 Jun 2006 00:27:34 -0500 (CDT)
Subject: [ISN] Crypto utopia Sealand ravaged by fire
Message-ID:
http://www.theregister.co.uk/2006/06/26/sealand_blaze/
By Andrew Orlowski
26th June 2006
Fire has damaged a World War II gun emplacement seven miles off the
English coast. Better known as "Sealand", the fort was acquired in the
1960s by Roy Bates, who declared it an independent principality.
One man was airlifted from the platform after fire broke out in the
generator room on Friday. Eyewitnesses [1] reported heavy damage, and
the blaze was left to burn itself out.
A public statement from the Sealand government said [2]: "Due to a
fire in the generation facility of the Fortress structure it has been
necessary temporarily to evacuate all civilian residents to
alternative accommodation as a matter of safety. This situation is
expected to continue for the next 96 hours, and an update will be
issued within this time."
When Bates purchased the fort, UK sovereignty extended to structures
only three miles from the shoreline. This has since changed, bringing
Sealand within UK jurisdiction, and the principality remains
unrecognised by any other state or international treaty organisation.
But in recent years the ambiguity of Sealand's status prompted one of
the more fascinating experiments in technological utopias.
Bates' son Michael - Prince Michael of Sealand - blessed an experiment
to create a crypto data haven on the fort, and became head of the
operating company HavenCo [3] in June 2000 [4].
To the dismay of investors and cypherpunks, the venture wasn't a
success. Ryan Lackey had moved to the fort in 1999, hoping to
establish a safe location for privacy services such as anonymous
remailers, and experiments such as anonymous digital cash. [July 2000
Slashdot Q&A [5]]
In a presentation to the 2003 DefCon convention, a former employee
described how internal politics and a lack of investment backing had
thwarted the experiment. Contracts were broken, the bandwidth never
materialised, and the location was vulnerable to DOS attacks. At the
time [6] of his 2003 presentation, HavenCo had no new customers, and
had seen several of its existing customers leave.
"Sovereignty alone has little value without commercial support from
banks, etc," concluded Ryan. Inviting us draw our own conclusions as
to where the real sovereign power lies. Banks don't like cash they
can't count or control. ?
[1] http://www.eadt.co.uk/content/eadt/news/story.aspx?brand=EADOnline&category=News&tBrand=EADOnline&tCategory=zNews&itemid=IPED24%20Jun%202006%2009%3A12%3A24%3A070
[2] http://www.sealandgov.org/notices/pn02706.html
[3] http://www.havenco.com/
[4] http://www.theregister.co.uk/2000/06/07/exarmy_major_offers_dotcom_sanctuary/
[5] http://interviews.slashdot.org/article.pl?sid=00/07/02/160253&mode=nested
[6] http://www.metacolo.com/papers/dc11-havenco/
From isn at c4i.org Tue Jun 27 01:27:45 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 27 Jun 2006 00:27:45 -0500 (CDT)
Subject: [ISN] OMB emphasizes data security guidance
Message-ID:
http://www.gcn.com/online/vol1_no1/41169-1.html
By Mary Mosquera
GCN Staff
06/26/06
The Office of Management and Budget today provided a checklist of best
practices that agencies must have in place in 45 days to compensate
for the absence of physical security controls when employees remove
information or access it from outside of agency premises.
Most departments should already have the measures recommended by the
National Institute of Standards and Technology in place, according to
Clay Johnson, OMB deputy director for management.
"We intend to work with the inspectors general community to review
these items, as well as the checklist, to ensure we are properly
safeguarding the information the American taxpayer has entrusted to
us," he said in the memo dated June 23 [1].
Besides the checklist, agencies also by early August must encrypt all
data on mobile devices that carry sensitive data and allow remote
access only with two-factor authentication. One of those factors
should be provided by a device separate from the computer gaining
access. Agencies will implement a "time-out" function for remote
access and mobile devices users, who will need to re-authenticate
after 30 minutes of inactivity. Agencies will log all
computer-readable data extracts from databases holding sensitive
information. They must verify that each extract of sensitive data has
been erased within 90 days or its use is still required.
OMB provided sample privacy documents for system of records notices
for personnel security files, identity management systems, identity
card proofing and Privacy Act statement and a Privacy Act statement
for users of personal identity verification cards.
Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee,
applauded OMB's memo.
"Today's action by the Office of Management and Budget to reinforce
security standards for sensitive information controlled by the federal
government is a sensible step, given the various data breaches we have
seen in recent weeks," he said. "[G]iven the spotty record of
compliance [with the Federal Information Security Management Reform
Act] we have seen among the agencies, I sincerely hope this action
leads to both better results and better practices-and if not, perhaps
Congress will have to step in and mandate specific security
requirements."
[1] http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf
From isn at c4i.org Tue Jun 27 01:26:19 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 27 Jun 2006 00:26:19 -0500 (CDT)
Subject: [ISN] Bookstore sales stolen by hacker
Message-ID:
http://www.northernadvocate.co.nz/localnews/storydisplay.cfm?storyid=3690082
By Craig Borley
26.06.2006
Internet fraud has hit a Whangarei bookshop owner, leaving his web
site suspended and his business' future in the balance.
Dennis Scoles, of Oceania Books, said his business earned a third of
its income from on-line sales.
But a computer hacker has targeted Mr Scoles' site, meaning customers
trying to pay for books via his PayPal link were actually paying the
hacker.
Mr Scoles' PayPal page was replaced by a fake, with a link to a
different bank account.
All this came as a shock to Mr Scoles, who said the incident was hard
to understand.
"We didn't have them (computers) at school in my day, so I had nothing
to do with them. I know nothing about IT, I was just a book collector.
I just feel sick, like I've been involved in a crime."
He has now invested in a firewall program intended to block hackers
but Quentin Donald, owner of Mr Scoles' Internet service provider
Acute Systems, said no blame lay with Mr Scoles.
"It has nothing to do with his computer at all, as I understand."
He said Mr Scoles' website used an osCommerce system for online
payments - one of the world's most common forms of on-line shopping.
He said it appeared someone had figured out a way to "get in the back
door" of that system.
Mr Donald believed there were some 30,000 websites using osCommerce,
most of which were too small to be attractive to hackers.
Because hackers tend to go for the big fish, he said, "the general guy
in the corner shop doesn't have to worry".
But Mr Scoles may have attracted the hacker's attention because of the
sheer size of his site. It included information and photographs of
some 1000 books.
"I'd been staying up nights, loading it all on, and it was only just
starting to pick up."
But as investigations continue Mr Scoles' website has been suspended,
causing him concern that future shoppers will be put off.
He had planned moving his business to Internet-only by the time he
retired but now he's not so sure.
"I have to seriously think about whether I want to continue on-line.
It's a lesson that should be passed on to all businesses thinking
about doing this."
Mr Donald said this lesson was a cruel one, due to its rarity and
people's inability to protect themselves against it.
? APN News & Media Ltd 2006.
From isn at c4i.org Tue Jun 27 01:27:19 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 27 Jun 2006 00:27:19 -0500 (CDT)
Subject: [ISN] Microsoft warns of exploit code for dial-up bug
Message-ID:
http://www.networkworld.com/news/2006/062606-microsoft-warns-of-exploit-code.html
By Robert McMillan
IDG News Service
06/26/06
Microsoft is warning users of malicious software that could be used to
attack Windows systems that lack the company's latest security
updates.
The exploit code targets a vulnerability in the Remote Access
Connection Manager (RASMAN) service, used by Windows to create network
connections over the telephone. The bug, which was patched June 13, is
rated critical by Microsoft, the most severe rating available.
Hackers published the code on Web sites late last week, and it is now
included in Metasploit, a hacking toolkit that is used by security
researchers and criminals alike.
The malicious software is not as dangerous as it could be. Most
firewalls will block it and it also requires that the hacker be
authenticated on the computer for it to work.
Still, Windows 2000 and Windows XP Service Pack 1 users need to be
wary because they could be the victims of particularly nasty attacks
that do not require authentication, Microsoft said.
"The current exploit code ... requires authentication, but the
underlying vulnerability does not," said Stephen Toulouse, a security
program manager with Microsoft's security response center.
For any attack to work on the latest versions of other Windows
systems, like XP or Windows Server 2003, the attacker would need to be
able to log on to the victim's machine, Microsoft said.
Hackers will likely use the malicious software in criminal attacks
since it is now in Metasploit, said Ken Williams, director of
vulnerability research with CA.
Complicating matters is the fact that some dial-up users have been
having problems with the patch.
Computers that use Window's dial-up scripting or terminal windows to
make connections may find that their dial-up connections no longer
work, according to Microsoft's alert.
Users who cannot install the patch immediately should disable the
RASMAN service, Microsoft said.
Over the past two weeks, Microsoft has also been contending with a
number of unpatched vulnerabilities in its Office and Excel software.
Microsoft has not yet patched the bugs, but it said Saturday that one
of them is now expected to be patched in its next round of security
updates, due July 11.
Microsoft's advisory on the malicious code can be found here.
The IDG News Service is a Network World affiliate.
All contents copyright 1995-2006 Network World, Inc.
From isn at c4i.org Tue Jun 27 01:27:59 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 27 Jun 2006 00:27:59 -0500 (CDT)
Subject: [ISN] Sitting Ducks at Sandhurst
Message-ID:
http://www.people.co.uk/news/tm_objectid=17289093&method=full&siteid=93463&headline=sitting-ducks-at-sandhurst--name_page.html
By Daniel Jones
25 June 2006
DISGRACEFUL security lapses at Prince William's military academy are
today exposed by The People.
Carrying a lifelike fakebomb, one of our reporters casually strolled
into Wills's accommodation block - and put his feet up in the
24-year-old prince's common room.
For four shocking hours, he was allowed to roam the grounds and
buildings of world-famous Sandhurst without EVER being challenged.
A real terrorist would have had countless chances to plant a bomb that
could have killed and maimed scores of people - including the man who
will one day be King.
The scandal is revealed less than two weeks before the anniversary of
the 7/7 London bombings - and amid fears that Al- Qaida is planning
plan a new wave of attacks in Britain.
We linked up with former counterterrorism intelligence officer Charles
Shoebridge to infiltrate Sandhurst - which William's brother Harry has
just left - for an open day that attracted more than 3,000 visitors.
In a string of appalling security blunders, our investigators: -
OPENLY sat in the grounds putting together the fake bomb'
STROLLED into William's New College quarters - where a cadet opened a
door for them to get in'
CHECKED out the VIP podium and a postbox where lethal explosives could
easily have been hidden' and
TOOK photos in areas which were supposed to be closed off as part of a
?2million operation designed to protect William - a prime target -
from international terrorists.
Mr Shoebridge said: "Sandhurst's worldwide reputation makes it an
ideal terrorist target - especially with Prince William there. Yet you
would not think this from the security we saw.
"If they had wanted to, then terrorists could have caused havoc."
The disgraceful lapses began the moment our team arrived at the
Berkshire military academy's Heritage Day.
Astonishingly, visitors did not have to book their places - which
meant they could not be vetted in advance.
And guards did not even take their names as they entered, Armed
soldiers and police at the main gate searched the bags of people
arriving on foot.
But like scores of other people, our investigators drove to Sandhurst
- and were waved through to a car park.
Once there, cadets made only a cursory search of the boot.
But they did NOT look inside the car.
And they did NOT carry out the widely used swab check - which reveals
whether a person has been handling explosives.
Mr Shoebridge - himself a Sandhurst graduate - said: "Of the ten cars
I watched being checked, no searches at all were made of their
occupants or their bags or rucksacks, which could have been packed
with explosives."
Our reporter made no attempt at secrecy as he made his "bomb" based on
a design used by Al-Qaida - a mobile phone acting as a timer wired to
a blob of Semtex.
We used lookalike Plasticine instead of the deadly high explosive.
Our reporter put the device into a plastic lunch-box which he carried
in a shoulder-bag - along with a dossier about Sandhurst and a map of
the complex.
Amazingly, a passing soldier revealed where the Prince is staying
while he is at Sandhurst. Mr Shoebridge - who worked in the police and
army for 20 years - pointed out a working postbox made of cast iron
next to the parade square at William's college.
He said: "Just a small bomb hidden in there would shower deadly
shrapnel over any cadets parading here the following morning. The
postbox should have been sealed for the Heritage Day."
New College, like most of Sandhurst's buildings, was officially closed
to the public for the event.
But it was a doddle for our investigators to get inside.
Two ground-floor windows at the rear were UNLOCKED.
But our team did not have to climb in because a cadet showing his
family round helpfully held open a door for them.
They were able to wander around the building - and even sat in the
common room near William's personal quarters. A terrorist could simply
have planted a bomb under a chair and detonated it at his leisure.
Mr Shoebridge said: "Most of the ground-floor windows were locked on a
hot summer's day - which suggests staff were aware that someone might
attempt unauthorised access.
"Yet cadets did not seem to have been briefed about the need to
identify and accompany strangers before allowing them in through the
door."
Our investigators then checked out a podium used by VIPs for the
finale of the open day - a march-past with a Gurkha band in front of
the Mayor of Sandhurst Elizabeth North.
There was NO guard here in the runup to the parade. Mr Shoebridge
said: "Had we used a timing device, we would have now escaped and the
bomb would kill the VIPs, the bandmaster and several members of the
public.
"If we were to trigger the bomb remotely as the band passed close to
the podium, we would have killed several Gurkhas from the band too."
There were also any number of chances to secrete bombs - timed to
explode later - under unattended Army trucks and Land Rovers at the
complex.
William joined the tough military academy in January for a 44-week
officer cadet course. Harry, 21, graduated from the college in April,
a ceremony attended by the Queen and the rest of the Royal Family. But
Sandhurst was considered a terrorist target even before then.
During Muslim cleric Abu Hamza's trial in January, it was revealed he
had detailed plans of Sandhurst which he said would be "crucial to any
terrorist". The 47-year-old extremist was jailed for seven years for
incitement to murder.
MI5 and the police warn that new Al-Qaida outrages in Britain could
come within months.
Experts say they have foiled at least three attacks since the 7/7
bombings.
Aspokesman for the Ministry of Defence said last night: "We do not
discuss security matters. We are, however, satisfied that a real bomb
would have been quickly identified and appropriate steps taken."
- DO YOU know of a sandal? Call our newsdesk on 020 7293 3204.
- Voice of The People: Page 6 daniel.jones at people.co.uk
From isn at c4i.org Tue Jun 27 01:27:06 2006
From: isn at c4i.org (InfoSec News)
Date: Tue, 27 Jun 2006 00:27:06 -0500 (CDT)
Subject: [ISN] Report: One hacked OU server should have been offline
Message-ID:
http://www.athensnews.com/issue/article.php3?story_id=25314
By Jim Phillips
Athens NEWS Senior Writer
2006-06-26
Part of the recently released consultant's audit of OU's computer
security systems (see related story, page 6) is a review of two major
hacking incidents and how OU responded to them.
In one case, the server that was hacked into was apparently vulnerable
to such a breach because many personnel at OU were not even aware it
was still hooked up to the university's computer system.
The two hacking incidents, which have caused OU no end of public
relations grief, are what prompted the university to hire Moran
Technology Consultants to conduct its audit in the first place.
OU has also found three other security breaches.
According to the audit report, the two breaches examined in the report
involved OU servers named ALUMINFO3 and SHSSRV1.
The first contained personal and contact information for 300,000
alumni, including Social Security numbers for about 137,000 people.
This server was apparently left vulnerable to hacking because IT
personnel thought it had been taken offline, but it hadn't.
The second is used by OU's Hudson Health Center, and includes about
60,000 patient records, with Social Security numbers. Hackers
apparently broke into this server, then tried to use it to attack
another OU server.
Moran suggests that OU discovered the Hudson security breach mainly
because two other hacking incidents triggered a "heightened
awareness," prompting OU to run virus scans on various other computer
systems.
Donor database breach:
The first known problem with this database dates to March 1, 2005, the
consultant found. Someone (whose identity is redacted from the audit)
reported an apparent breach in April 2006 via e-mail to Bob Watkins,
an operating systems programmer at CNS.
Moran concludes that the system was vulnerable to hacking (by some
particular method that has been redacted from the report) from March
1, 2005, to April 24, 2006, but that there is not enough information
available to tell if hackers actually stole any information from the
system.
From Feb. 1, 2006 to April 11, 2006, the report adds, "the system was
apparently used as a music file sharing server," and on April 22,
2006, "the system was used to attack another server."
Numerous employees interviewed by Moran said they thought this server
had been turned off and disconnected from the OU network since a prior
application upgrade.
Records show, however, that it was in more or less continuous service
from May 5, 2004 to April 24, 2006, when the breach was discovered -
though it had been taken offline for a total of about 14 days since
March 25, 2005.
Moran concluded that this system should have turned off and
disconnected from the network after April 14, 2005, when it was
decommissioned. "However, apparently due to poor communication, lack
of decommissioning procedures, and poorly defined responsibilities,
the system was turned off but then turned back on 10 days later."
The report adds that the initial break-in to the system apparently
happened before it was decommissioned, and that leaving it connected
afterwards greatly increased the odds that data was stolen, and led to
other abuses of the system.
Hudson patient database breach:
This server was apparently hacked into first on Dec. 19, 2005,
according to Moran. In early January 2006, the administrator of
another OU server reported that the SHSSRV1 server was trying to log
on to his server.
The incident was reported to OU's computer security team, but "it is
not clear what action was taken beyond this," the report says.
IN EACH INCIDENT, once the breach was detected, the systems were
quickly taken offline, the report says, and appropriately reported to
OU's CIO, Office of Legal Affairs, and PR personnel.
Moran concludes that up to a certain point, the response of OU's
security team to the breaches was "relatively well orchestrated and
organized." After the point at which the team began trying to find out
how widespread the problem was, however, "activities became poorly
organized and fragmented," according to Moran.
CNS Director Tom Reid took over the job of managing the response from
the lead member of the security team, who, according to Moran, was
better qualified to handle the job.
Reid said Sunday that it wasn't his decision to take over the response
team, but that of CIO Bill Sams.
"I was assigned that task by the CIO," he claimed.
OU also put three Computer Services employees on administrative leave
at this point, an action that Moran believes "greatly contributed to
the confusion and disorganization in the wake of the problems. The
people who knew the compromised systems best were sent home, instead
of being available to assist in the response."
The report also notes that the three employees placed on leave (OU has
said it is recalling them) had previously "made efforts to get help
from CNS" with security problems, but probably should have taken their
concerns to higher management.
The report concludes that OU's initial containment procedures "were
appropriate and effective," but after these initial steps, "the
process faltered."
UNIVERSITY CHIEF Information Officer Bill Sams told the OU Trustees at
a meeting last week that OU has gotten about two dozen reports of
identity theft since the breaches were discovered, though these may
not all be traceable to the problems with OU computers.
OU has said that it will not take financial liability for financial
loss due to identity theft unless a person can show that his or her
personal data was not stolen from some other source that was holding
it.
Sams called the number of identity theft reports two "surprisingly
small," given the volume of personal information potentially exposed
in the computer security breaches.
He said that based on what OU investigators have discovered about the
hacking incidents, they believe they were unrelated to each other.
"It was not a continuous series of attacks," he told the Trustees.
Based on the audit findings, Sams said, it appears that CNS was more
concerned with performance than with security, and wanted to avoid
slow-downs that might result from taking needed security measures. He
promised that OU will take steps to change the culture within its IT
departments that helped allow the breaches to occur.
Trustee C. Robert Kidder noted that the security breaches "cost us
greatly" in terms of both money and bad publicity.
During the meeting, the Board of Trustees approved a motion to spend
up to $4 million on addressing the IT problems.
Asked where that money will come from, President Roderick McDavis said
he is not sure, but that it definitely will not be taken come from
extra money set aside for priorities laid out in OU's Vision Ohio
comprehensive plan.
From isn at c4i.org Wed Jun 28 01:13:35 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 28 Jun 2006 00:13:35 -0500 (CDT)
Subject: [ISN] HSBC customers hit by Bangalore breach
Message-ID:
http://software.silicon.com/security/0,39024655,39159940,00.htm
By Andy McCue
27 June 2006
A security breach at HSBC's offshore data processing unit in Bangalore
has led to ?233,000 being stolen from the accounts of a small number
of UK customers.
A 24-year-old worker at the HSBC operation has been suspended after
being accused of accessing confidential account information and
passing it on to criminal associates in the UK.
Fears of the security of offshore business process outsourcing (BPO)
operations will be heightened by reports in India claiming the HSBC
employee also used false records to obtain the job at the bank.
The HSBC worker was caught when the fraud was detected by the bank's
security systems.
A spokesman for HSBC told silicon.com: "Our internal security team
discovered one of HSBC's staff in Bangalore caused customer data to be
leaked leading to a small number of accounts from the UK being
compromised."
He declined to comment any further on the details of the breach but
said all affected customers - reported to be around 20 in number -
have been contacted and will be fully reimbursed for any losses.
The HSBC spokesman added: "We are taking data protection seriously.
These systems are sophisticated and in place to help track these
things down."
Sunil Mehta, VP of India's IT industry body Nasscom, insisted such
security breaches are not unique to offshore operations and can happen
in any country.
He said: "India, with its strong legal system and its independent
judiciary, is a country that takes this responsibility extremely
seriously. Nasscom will work with the legal authorities in the UK and
India to ensure that those responsible for any criminal breaches are
promptly prosecuted and face the maximum penalty."
Just last month Nasscom created a new regulatory body to help improve
data security among India's offshore IT services and BPO companies.
From isn at c4i.org Wed Jun 28 01:13:48 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 28 Jun 2006 00:13:48 -0500 (CDT)
Subject: [ISN] VA Asking for More Money After Data Theft
Message-ID:
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/27/AR2006062700134.html
By HOPE YEN
The Associated Press
June 27, 2006
WASHINGTON -- Veterans Affairs Secretary Jim Nicholson promised
Congress on Tuesday he could turn his agency into a "model for
information security" but said lawmakers will have to be patient.
Nicholson also said the Bush administration was asking for at least
$160.5 million in emergency funds for credit monitoring and other
measures to protect veterans and military troops whose sensitive
personal information was stolen from a VA employee's laptop computer.
Besides covering monitoring for about half of the 17.5 million people
whose Social Security numbers were compromised, the money would pay
for out-of-pocket expenses ranging from $10,000 to $20,000 for those
whose identities are stolen, Nicholson told a House panel.
Under questioning, Nicholson acknowledged that much more money may be
needed to revamp information security at the VA and other agencies. He
also left the door open to providing veterans more than one year of
free credit monitoring following the May 3 burglary at a VA data
analyst's home.
"Unfortunately, a very bad thing happened," Nicholson told a House
Appropriations subcommittee that oversees VA spending.
"I think we can turn VA into the model for information security," he
added. "I will not try to mislead you and delude. This will not be
easy and it will not be overnight."
Of the $160.5 million requested for monitoring, Nicholson said, about
$29 million will be taken from VA funds budgeted in 2006 to cover
personnel costs at the Veterans Benefit Administration. That money
would not have been used this year due to hiring plans that already
had been pushed back to 2007, he added. The other $131.5 million would
be reallocated from other areas of the White House budget.
"It will take some belt tightening. It will not come out of veterans'
benefits," Nicholson said.
No reports of identity theft have been reported in connection with the
May 3 theft of a computer from the data analyst's home in suburban
Maryland. The laptop contained names, birth dates and Social Security
numbers for up to 26.5 million people.
Last week, the Senate Appropriations Committee approved $160 million
in emergency funds to pay for credit monitoring. It is one of many
expected payments as the government struggles with fallout from data
thefts and other breaches now crossing at least six agencies.
Earlier in the hearing, the House panel was urged to spend whatever
necessary to avoid undue hardships for data theft victims.
David McIntyre, president and CEO of TriWest Healthcare Alliance,
which administers the Pentagon's health care program in 21 Western
states, proposed creating a central government "nerve center" to
assist agencies after any such security breach.
"Unfortunately, as we have all come to realize, the question is not
whether another incident of information theft will occur but when,"
McIntyre said. "Events such as these are happening with increased
regularity _ and, surely, spending a few million to prepare is
preferable to spending hundreds of millions to react."
Rep. James Walsh, R-N.Y., chairman of the House subcommittee,
chastised the VA for waiting three weeks to notify veterans about the
theft. "This represents a significant lapse of time that could have
been vital to protect identity theft," Walsh said.
In his testimony, Nicholson called the burglary a "wake-up call" that
should not have come at the expense of veterans, some of whom have
challenged the free monitoring in court as potentially inadequate. He
said about half of the affected veterans were expected to take the
government's offer.
Separately, the VA asked a federal judge to revise his order barring
the VA from publicizing its free credit monitoring offer. The VA said
it wished to continue providing information to veterans through its
Web site and call center and had no intention of asking veterans to
relinquish their rights to a potentially larger payout in court.
U.S. District Judge William Bertelsman in Kentucky scheduled a hearing
for Friday to determine whether the VA should revise its deal.
The class-action lawsuits, which are pending in Covington, Ky., and
Washington, seek free monitoring and other credit protection for an
indefinite period as well as $1,000 in damages for each person _ or up
to $26.5 billion total.
Stacy Hinners, an attorney representing veterans, said veterans did
not wish to shut down the call center and Web site but simply wanted
the VA to be clear what rights veterans would have if they accepted
the free offer.
Veterans groups and lawmakers from both parties have criticized the VA
for the theft and noted years of warnings by auditors that information
security was lax. The data analyst _ who was in the process of being
dismissed _ had taken the information home on a personal laptop for
three years.
-=-
On the Net:
For veterans suspecting identity theft: http://www.firstgov.gov or
1-800-FED-INFO
From isn at c4i.org Wed Jun 28 01:13:59 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 28 Jun 2006 00:13:59 -0500 (CDT)
Subject: [ISN] Does Wi-Fi security matter?
Message-ID:
http://news.zdnet.co.uk/internet/security/0,39020375,39277577,00.htm
By Tom Espiner
ZDNet UK
June 27, 2006
People 'just don't care' about Wi-Fi security according to
researchers, but some senior security experts argue there's no need to
secure networks at all
A large percentage of Wi-Fi networks are "horribly insecure",
according to researchers at Indiana University.
In a study of almost 2,500 access points in Indianapolis, presented at
the Workshop on the Economics of Information Security at the
University of Cambridge on Monday, researchers found that 46 percent
were not running any form of encryption.
"People just really don't care about Wi-Fi security, and open Wi-Fi at
home is a nice big target," said Matthew Hottell, lecturer in
informatics at Indiana University. "Defaults [settings] are king,"
added Hottell.
Most of the secured networks used routers whose security setting had
been pre-installed by the vendor, rather than having being activated
by the end user. Some used WEP encryption wizards to encourage people
to turn on the security settings.
"Education seems to have little effect. People with a higher economic
status are not responsive to the heightened risk of privacy erosion,
and people in general don't recognise that higher population density
[heightens risk]," said Hottell.
However, security expert Bruce Schneier argued that as long as
people's devices were secure, having a secured network was
unnecessary.
"I have a completely open Wi-Fi network," Schneier told ZDNet
UK."Firstly, I don't care if my neighbours are using my network.
Secondly, I've protected my computers. Thirdly, it's polite. When
people come over they can use it."
University of Cambridge security expert Richard Clayton also
questioned the assumption that unsecured networks were necessarily
insecure.
"What is your definition of secure?" Clayton asked the researchers.
"Did you try to exploit the systems?"
Hottell said the wardriving team had not attempted to hack any systems
or read any network traffic.
Microsoft's chief privacy advisor for Europe, Caspar Bowden, said
there seemed to be a consensus among security experts that having a
Wi-Fi network open to sharing has positive uses, but warned that
people could not rely on WEP encryption if they wanted to secure
networks.
"If you do want to secure your network, look at end-to-end solutions
rather than some of the dodgy crypto around like WEP," said Bowden.
"There's only one thing worse than no security, and that's a false
sense of security," he added.
From isn at c4i.org Wed Jun 28 01:14:17 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 28 Jun 2006 00:14:17 -0500 (CDT)
Subject: [ISN] =?iso-8859-1?q?U=2ES=2E_vulnerable_to_=27cyber_Katrina=27?=
=?iso-8859-1?q?=92?=
Message-ID:
http://www.gcn.com/online/vol1_no1/41172-1.html
By Alice Lipowicz
Contributing Writer
06/27/06
The United States is poorly prepared for a "cyber Katrina," with no
coordinated plan for restoring and recovering the Internet after a
major disruption, according to a new Business Roundtable report [1],
released yesterday.
Despite efforts to address the problem, the federal government and
private sector have not developed a coordinated plan for restoring the
Internet and maintaining confidence in financial markets following a
major breach in functioning.
The gaps identified include no cyberattack early warning system,
unclear and overlapping responsibilities for responding to Internet
disruptions, and no sufficient resources.
"If there's a cyberdisaster, there is no emergency number to call -
and no one in place to respond, because our nation simply doesn't have
the kind of coordinated plan in place that we need to restart and
restore the Internet," Edward Rust Jr., chairman of State Farm
Insurance Companies and head of the Roundtable Security Task Force's
working group on cybersecurity, said in a news release. "Government
and industry must work together to beef up our cybersecurity and
recovery efforts."
The roundtable, which comprises chief executives of major corporations
representing nearly a third of the total value of the U.S. stock
market, said the private sector should take the lead in restoring the
communications infrastructure following a disaster.
The federal government should establish clearer roles and
responsibilities. For example, while the Homeland Security Department
said it has authority to declare a national cyberemergency and intends
to consult with business leaders, the report said it is not clear how
this consultation will occur or what the factors are for declaring an
emergency.
The federal government also should provide funding for long-term
programs, and make sure that national response plans treat major
Internet disruptions as serious national problems, the report said.
The National Cyber Security Division within DHS receives about $70
million a year, but almost none of the funds support cyber-recovery,
the report said.
Federal authorities should set a clear policy for Internet recovery,
which would define DHS' role and responsibility; define the
responsibilities of the U.S. Computer Emergency Response team; specify
how the Homeland Security Operations Center will be used; and clarify
the roles of other agencies, such as the Federal Communications
Commission and the Federal Emergency Management Agency, the report
said.
Private sector executives are urged to designate a point person for
cyber-recovery, update their plans to prepare for a widespread
Internet outage and the impact on movement of goods and services, and
set priorities for restoring Internet service and corporate
communications.
The roundtable also urged creation of a federally funded panel of
experts to assist in developing plans for recovering the Internet
after a cyberdisaster. It also suggests DHS and industry jointly
conduct large-scale cyberemergency exercises.
[1] http://www.businessroundtable.org/pdf/20060622002CyberReconFinal6106.pdf
From isn at c4i.org Wed Jun 28 01:14:26 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 28 Jun 2006 00:14:26 -0500 (CDT)
Subject: [ISN] Navy: Exposed personal data was Katrina-related
Message-ID:
http://www.fcw.com/article95068-06-27-06-Web
By Bob Brewin
June 27, 2006
The Navy said the personal information of more than 30,000 sailors
that a civilian Web site exposed pertains to sailors and their
families located in areas affected by Hurricane Katrina.
Lt. Justin Cole, a spokesman for the chief of naval personnel, said
the Navy collected the personal information in relation to hurricane
relief operations.
Cole said the Navy has no idea how someone published the information
on the Web site. The site has removed that information. Cole declined
to identify the site or its purpose, but he said it was not a medical
or health information Web site.
The Navy said last week it first became aware of the exposure of the
personal information June 22 in a report by the Joint Task
Force-Global Network Operations the Navy Cyber Defense Operations
Command, part of the Naval Network Warfare Command (Netwarcom).
The personal information was contained in five spreadsheet files on
the Web site and included the name, birth dates and Social Security
numbers of sailors and family members, the Navy said.
The service mailed letters to all 30,618 service members and their
families affected by the incident, the Navy added. The service said it
has no evidence that someone has illegally used the personal
information on the Web site.
Cole said the Naval Criminal Investigative Service is investigating
the incident. But he declined to provide further details.
From isn at c4i.org Wed Jun 28 01:14:37 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 28 Jun 2006 00:14:37 -0500 (CDT)
Subject: [ISN] Apple updates Mac OS to squash bugs
Message-ID:
http://news.com.com/Apple+updates+Mac+OS+to+squash+bugs/2100-1002_3-6088787.html
By Joris Evers
Staff Writer, CNET News.com
June 27, 2006
Apple Computer on Tuesday released an update for its Mac OS X that
repairs several security flaws and includes feature updates.
The update, Mac OS X 10.4.7, fixes four security vulnerabilities,
Symantec said in an alert sent to customers. "These issues can be
exploited to cause denial-of-service conditions, gain access to
sensitive information, and execute code," it said.
The security flaws lie in various components of Mac OS X, Symantec
said. There is no known attack code for the vulnerabilities, the
company said, indicating that there is no threat imminent to Mac
users.
An Apple representative did not immediately return calls seeking
comment on the security issues. The Cupertino, Calif.-based company
also had not published any security fix information on its security
Web site as of Tuesday late afternoon. Apple's last security update
was last in May, addressing bugs in Mac OS X and QuickTime.
Aside from the security fixes, Mac OS X 10.4.7 delivers some
improvements and repairs a few issues related to Mail, Finder and
iChat, among other things, according to a posting on Apple's support
Web site.
If iChat users encounter a problem while trying to set up a
conference, they can now send a message to Apple that automatically
outlines what went wrong, much the same way Safari users can choose to
send a message when the browser crashes, Apple said.
The update also fixes a number of issues with syncing, improving
support for Motorola phones and fixing some problems with .Mac
syncing, according to Apple. Users can download Mac OS X 10.4.7
through Software Update or the standalone installer.
Apple plans to showcase Mac OS 10.5, code-named Leopard, at its annual
developer meeting in August, the company announced Monday.
From isn at c4i.org Wed Jun 28 01:13:20 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 28 Jun 2006 00:13:20 -0500 (CDT)
Subject: [ISN] Ohio University Sued As Result Of Data Theft
Message-ID:
http://www.channelcincinnati.com/news/9431401/detail.html
June 27, 2006
ATHENS, Ohio -- Two graduate students have filed lawsuits against Ohio
University due to recent data thefts from school computers.
Donald Jay Kulpa, 31, of Cincinnati, and Kenneth Neben, 34, formerly
of Columbus and now living in New Jersey, sued OU, claiming their
privacy had been violated. Kulpa and Neben are two of possibly 173,000
students, employees, or faculty whose Social Security numbers were
stolen in five separate instances since March 2005.
Of the 173,000 people, about 367,000 files containing personal
information such as Social Security numbers, names, medical records,
and home addresses were breached.
The lawsuit was filed Friday in the Ohio Court of Claims in Columbus.
On the same day, OU made a decision to spend $4 million to heighten
computer security on campus.
The lawsuit asks a judge to order the school to compensate for any
financial loss as a result of identity thefts linked to security
breaches at OU. They also want the school to pay for credit monitoring
services for anybody whose personal information may have been
breached.
Kulpa and Neben's lawsuit seeks class-action status to represent
anyone affected, including students, faculty, and employees.
John Burns, OU's legal affairs director, said he expected a lawsuit
but not one that reached class-action status.
"We'll review it and we'll defend it," Burns said.
Mark Mezibov, a Cincinnati lawyer representing Kulpa and Neben, said
the university was negligent and indifferent in failing to protect
personal information
A recent consultants' report concluded that OU's Computer and Network
Services division considered security as a low priority for the past
decade. However, the division had an annual budget of about $11
million and recent annual surpluses averaging $1.4 million.
Last week, OU suspended the director of Computer and Network Services
and the Internet and systems manager, pending an investigation
regarding the security breaches.
On April 21, the university announced it had discovered a security
breach at its training center for fledgling businesses. Since the
incident, breaches have been reported at the alumni office, health
center, and the department that handles records for businesses the
university hires.
Copyright 2006 by ChannelCincinnati.com.
The Associated Press contributed to this report.
From isn at c4i.org Wed Jun 28 01:14:52 2006
From: isn at c4i.org (InfoSec News)
Date: Wed, 28 Jun 2006 00:14:52 -0500 (CDT)
Subject: [ISN] Navy contractor charged with sabotaging computer system
Message-ID:
http://home.hamptonroads.com/stories/story.cfm?story=106658&ran=64860
By TIM MCGLONE
The Virginian-Pilot
? June 27, 2006
NORFOLK - A Navy contractor has been charged with sabotaging a
computer system that plots the locations of ships and submarines.
The computer intrusion could have caused collisions between Navy and
commercial vessels, but it was uncovered before any serious harm was
done, according to a criminal complaint unsealed Monday in U.S.
District Court here.
The suspect, Richard F. Sylvestre, 43, of Massachusetts, was charged
with unauthorized access to a government national defense computer, a
crime that carries a penalty of as much as 10 years in prison.
Sylvestre said little during his first court appearance Monday.
"Do you understand why you're before this court?" Magistrate James E.
Bradberry asked Sylvestre .
"Yes, sir," he replied.
Sylvestre, listed in the court record as owner of computer company
Ares Systems International, is accused of programming malicious
software codes into computers at the Navy's European Planning and
Operations Command Center in Naples, Italy, last month, according to
the court records.
Sylvestre later confessed to the crime, according to the complaint
filed by a Naval Criminal Investigative Service agent in Norfolk. He
told the agent he was upset that his company's bid on a project was
passed over, the papers say.
Ares already held a Navy contract to provide computer maintenance for
the Navy's European Command.
On May 21 , two Navy computers in Naples were rendered inoperable, the
complaint says.
A computer administrator determined that someone had programmed what's
known as a "cron job" into the system. A cron job enables someone to
schedule the start of program commands at some future date.
The investigation determined that the commands were entered on a
computer last used by Sylvestre on May 19, the complaint says.
The computer administrator also discovered three additional infected
computers that, had the programs been launched, would have shut down
the entire network that tracks the locations of ships and submarines.
The system helps prevent military and commercial vessels from running
into each other. "Sylvestre denied that he had any intention to cause
a collision or crash," the complaint says.
Sylvestre returned to Norfolk on Sunday aboard the Air Mobility
Command and was taken into custody by the U.S. Marshals.
After Monday's court appearance, Bradberry allowed Sylvestre to post a
$10,000 bond and return home to Massachusetts, but not without a stern
warning first.
"This is deadly serious business," Bradberry told him. "Don't take
this lightly."
A grand jury will hear the case within the month, a prosecutor said in
court.
Reach Tim McGlone at (757) 446-2343 or tim.mcglone at pilotonline.com.
? 2006 HamptonRoads.com/PilotOnline.com
From isn at c4i.org Thu Jun 29 04:52:14 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 29 Jun 2006 03:52:14 -0500 (CDT)
Subject: [ISN] NHS mobile data security is pants
Message-ID:
http://www.theregister.co.uk/2006/06/28/nhs_mobile_security_survey/
By John Leyden
28th June 2006
Sensitive medical and personal details are in danger of exposure
because of lax data security among health sector workers, according to
a new survey.
The study, sponsored by mobile security firm Pointsec, found that
almost two thirds of health sector workers use inadequate security.
Half of those in the NHS use their own mobile devices to store data, a
basic breach of security practice.
The Mobile device usage in the health care sector survey carried out
by Pointsec and the British Journal of Healthcare Computing &
Information Management also found found that one-fifth of the devices
used to store data have no security on them at all. A further 40 per
cent have only password-controlled access that would be easy for a
skilled hacker to defeat using a dictionary-style attack.
Only a quarter of respondents used passwords in conjunction with other
security features such as encryption, biometrics, smart card and
two-factor authentication. The 117 participants in the survey included
information managers, IT managers and medical professionals in the
NHS. A quarter of those who took part in the study supplied equipment
to the health care sector.
USB memory sticks or cards (76 per cent) were often used to download
data among health care pros, followed by laptops (69 per cent),
PDA/Blackberry (51 per cent), smartphones (nine per cent) and mobile
phones (two per cent). Almost half (42 per cent) of respondents owned
at least one of the devices they used.
These mobile devices were commonly used to store work contact details
(75 per cent), but nearly two thirds stored corporate data, and one in
five used mobile devices to store security details, such as passwords
and PIN codes. About half of the medical professionals surveyed stored
patient records on mobile devices, a potentially serious risk to
patient confidentiality given that a quarter of respondents have
admitted losing a mobile device.
Pointsec says its survey is evidence that inadequate security
procedures are allowing mobile devices to "fall through the security
net". It advises wider use of mobile encryption technologies, a
business Pointsec itself specialises in. ?
From isn at c4i.org Thu Jun 29 04:52:43 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 29 Jun 2006 03:52:43 -0500 (CDT)
Subject: [ISN] Security Diligence Is Overdue
Message-ID:
====================
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
SPI Dynamics
http://list.windowsitpro.com/t?ctl=2FEE3:4FB69
Diskeeper
http://list.windowsitpro.com/t?ctl=2FEDE:4FB69
CrossTec
http://list.windowsitpro.com/t?ctl=2FEDC:4FB69
====================
1. In Focus: Security Diligence Is Overdue
2. Security News and Features
- Recent Security Vulnerabilities
- Two New Excel Vulnerabilities Surface
- Workarounds for the First of Two Excel Vulnerabilities
- Windows Defender
3. Security Toolkit
- Security Matters Blog
- FAQ
- Share Your Security Tips
4. New and Improved
- Faster Intrusion Protection
====================
==== Sponsor: SPI Dynamics ====
ALERT: "Top Web Application Hacker Tricks"
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation. Learn step-by-step vulnerability
testing methods for your own Web Applications and guidelines for
establishing best administration and coding practices.
http://list.windowsitpro.com/t?ctl=2FEE3:4FB69
====================
==== 1. In Focus: Security Diligence Is Overdue ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
I recently came across some very interesting survey information
published by Deloitte Touche Tohmatsu (DTT). The company conducted a
survey of security executives in 150 companies from 30 countries whose
business relates to technology, media, and telecommunications (TMT).
The results shed some light on why some companies are open to security
breaches.
http://list.windowsitpro.com/t?ctl=2FEF6:4FB69
According to the survey results, the majority of the surveyed companies
consider themselves reactive (as opposed to proactive) when it comes to
investing in information security. In other words, they spend money in
response to breaches but don't typically spend nearly as much money to
prevent breaches.
Only 4 percent of the companies think they're addressing the problem
sufficiently; only 25 percent have already implemented or are in the
process of implementing antiphishing protection; only 37 percent
provided security training to employees over the past 12 months; only
24 percent believe their current security tools are being used
effectively; and only 33 percent perform security risk assessments.
Another interesting pair of findings is that half of the companies who
suffered breaches over the past 12 months were victims of insider
attacks and only 47 percent of the companies believe they are
adequately protected against such internal attacks.
Brian Geffert, principal of Deloitte Security and Privacy Services,
said about the survey findings, "When it comes to security, TMT
companies are talking the talk but not yet walking the walk. Survey
respondents say that security is a top concern, but it is still not
being addressed across the organization from a risk-based perspective,
despite recent breaches costing million[s] of dollars of damage and
inestimable harm to companies' reputations, brands, revenue and
productivity. In fact, more than half of security executives surveyed
admit that their security investments are falling behind the threats or
at best just catching up."
Eye opening, isn't it? In a parallel study, DTT polled financial
institutions as well as life sciences and health care companies.
Although DTT didn't say how many companies took part in those studies,
it did say that 78 percent of the financial institutions had
experienced an external security breach and 49 percent had experienced
an internal security breach in the past year. Seventeen percent of life
sciences and health care companies had experienced an external security
breach and 9 percent had experienced internal breaches. Wow!
How many news stories have you read over the past several months about
some company suffering either an intrusion or equipment loss that
exposed people's private information? We can't go more than a week or
so without yet another of these stories coming to the surface, which
just reinforces DTT's findings.
It seems to me, even more so in light of DTT's survey results, that the
problems of intrusion and identity theft must be due to a lack of
diligence, or maybe a lack of funding to support proper diligence.
After all, with proper funding, how hard is it to diligently defend
your enterprise network, and how hard is it to diligently protect your
mobile computing devices and backup media? The former can be tedious,
of course, but not overly difficult. The latter requires mostly
attentiveness and common sense on the part of users to avoid theft or
other forms of loss.
If, in your opinion, your company isn't providing adequate resources
for a diligent approach to information security, consider pointing your
executives or decision makers to this editorial and DTT's press
release. Maybe it'll help open some eyes.
====================
==== Sponsor: Diskeeper ====
FREE UTILITY: SCANS YOUR SITE FOR SYSTEM SLOWDOWNS
Disk Performance Analyzer for Networks is a FREE utility that remotely
scans your networked systems looking for severe fragmentation-related
disk performance bottlenecks. Disk fragmentation is a major source of
slowdowns, freeze-ups and headaches; with Disk Performance Analyzer for
Networks you can find and address potential problems before they become
help desk calls. Find disk performance problems before they find you?
download the FREE Disk Performance Analyzer for Networks now!
http://list.windowsitpro.com/t?ctl=2FEDE:4FB69
====================
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
discoveries at
http://list.windowsitpro.com/t?ctl=2FEE4:4FB69
Two New Excel Vulnerabilities Surface
You know the adage: When it rains it pours. On the heels of a zero-
day Excel vulnerability reported two weeks ago come two more Microsoft-
related vulnerabilities, one in Excel and one in Windows.
http://list.windowsitpro.com/t?ctl=2FEEE:4FB69
Workarounds for the First of Two Excel Vulnerabilities
Two weeks ago, a zero-day exploit was discovered that affects
Microsoft Excel. The vulnerability could allow the execution of
arbitrary code on an affected computer. Microsoft has published a
security advisory that includes possible workarounds to help you
protect your systems.
http://list.windowsitpro.com/t?ctl=2FEEA:4FB69
Windows Defender
Windows Defender Beta 2 is Microsoft's second antispyware beta
release, but it really feels more like a new program. New graphics,
tighter integration into the OS, and a streamlined interface all set
this release apart from its predecessor, Microsoft AntiSpyware Beta 1.
Jeff Fellinge gives you the skinny in this article on our Web site.
http://list.windowsitpro.com/t?ctl=2FEEC:4FB69
====================
==== Resources and Events ====
Attend Black Hat 2006 in Las Vegas July 29 - August 3; 2,500+
international security experts, 10 tracks, no vendor sales pitches.
http://list.windowsitpro.com/t?ctl=2FEF5:4FB69
Event Log (for Windows systems) and Syslog (for UNIX/Linux systems)
contain a wealth of information. In this free Web seminar, you'll learn
about the processes, challenges, and benefits of consolidating events
on a centralized server. Plus--identify the 50 critical events that
should be monitored in your enterprise. Live Event: Thursday, June 29
http://list.windowsitpro.com/t?ctl=2FEE9:4FB69
Make full use of your VoIP network--integrate Fax for IP to reduce TCO
and increase the ROI for your investment. On-demand Web seminar
http://list.windowsitpro.com/t?ctl=2FEDF:4FB69
Learn the essentials about how consolidating hardware and updating
selected technologies can help you build an infrastructure that can
handle change effectively.
http://list.windowsitpro.com/t?ctl=2FEE2:4FB69
In this free podcast, Randy Franklin Smith outlines five points to
consider when choosing an antispyware solution. Download the podcast
today, and you could win an iPod!
http://list.windowsitpro.com/t?ctl=2FEE1:4FB69
Implement real-time processes in your email and data systems--you could
also win a Best Buy Gift Card! Register today; the contest ends June
30.
http://list.windowsitpro.com/t?ctl=2FEE0:4FB69
====================
==== Featured White Paper ====
Strategically managing software licenses saves time and cuts costs by
centralizing licensing operations. Use this 5-step program to quickly
implement your license management program.
http://list.windowsitpro.com/t?ctl=2FEDD:4FB69
Don't miss your chance to win a pair of Bose Triport Headphones!
Download any white paper from Windows IT Pro before June 30 to enter.
See the full selection of papers today at
http://list.windowsitpro.com/t?ctl=2FEF2:4FB69
====================
==== Hot Spot ====
Free White Paper - "7 Steps for SIMple Log Monitoring"
Activeworx collects event logs from all your security devices and
vendors to provide a single Dashboard view along with correlated
alerts; hundreds of compliance reports; and deep forensics tools. Easy
to install and use. Personalized support. Click for Free White Paper -
7 Steps for SIMple Log Monitoring
http://list.windowsitpro.com/t?ctl=2FEDC:4FB69
====================
==== 3. Security Toolkit ====
Security Matters Blog: WildPackets' OmniPeek Personal
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=2FEF1:4FB69
Need an alternative to Ethereal and Wireshark? The OmniPeek Personal
packet capture and analysis tool might be your answer.
http://list.windowsitpro.com/t?ctl=2FEEB:4FB69
FAQ
by John Savill, http://list.windowsitpro.com/t?ctl=2FEEF:4FB69
Q: Where is the remote wipe facility in Microsoft Exchange Server 2003
Service Pack 2 (SP2)?
Find the answer at http://list.windowsitpro.com/t?ctl=2FEED:4FB69
Share Your Security Tips and Get $100
Share your security-related tips, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
====================
==== Announcements ====
(from Windows IT Pro and its partners)
Summer Special--Save 58% off Windows IT Pro
Subscribe to Windows IT Pro today and SAVE 58%! Along with your 12
issues, you'll get FREE access to the entire Windows IT Pro online
article archive, which houses more than 9,000 helpful articles. This is
a limited-time offer, so order now:
http://list.windowsitpro.com/t?ctl=2FEE7:4FB69
Need Access to Helpful SQL Server Articles?
Subscribe to SQL Server Magazine today and SAVE 58%! Along with your
12 issues, you'll get FREE access to the entire SQL Server Magazine
online article archive, which houses more than 2,300 helpful articles.
This is a limited-time offer, so order now:
http://list.windowsitpro.com/t?ctl=2FEE6:4FB69
====================
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Faster Intrusion Protection
Third Brigade announced Deep Security 4.5, the newest release of its
intrusion prevention system (IPS) that protects mission-critical hosts,
applications, and data from malicious attacks. New features are
designed to help customers deploy Deep Security more quickly. Customers
can purchase Third Brigade Deep Security Manager to place Deep Security
Agent software in IPS-ready mode on any number of hosts at no extra
cost. Then when they're ready, they can switch the Agent from detection
to prevention mode. Deep Security 4.5 also offers preconfigured
security profiles for more than 80 software applications that run on
Windows, Linux, and Solaris. And Third Brigade says it delivers new
filters within hours of the announcement of new software
vulnerabilities. For more information, go to
http://list.windowsitpro.com/t?ctl=2FEF4:4FB69
Tell Us About a Hot Product and Get a Best Buy Gift Card!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Best Buy Gift Card if we write about the product in a
Windows IT Pro What's Hot column. Send your product suggestion with
information about how the product has helped you to
whatshot at windowsitpro.com.
====================
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=2FEF3:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
====================
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
http://list.windowsitpro.com/t?ctl=2FEE8:4FB69
View the Windows IT Pro privacy policy at
http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2006, Penton Media, Inc. All rights reserved.
From isn at c4i.org Thu Jun 29 04:52:55 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 29 Jun 2006 03:52:55 -0500 (CDT)
Subject: [ISN] Storage Company's Online Security Breach Exposed
Message-ID:
http://cbs5.com/topstories/local_story_178210503.html
By Sue Kwon
Reporting
Jun 27, 2006
(CBS 5) A CBS 5 investigation has confirmed a security breach at a
popular self-storage company that may have exposed customers' private
information on its website.
AAAAA Rent-A-Space has taken its online payment system offline and is
notifying thousands of customers to check for identity theft after CBS
5 told the company about a flaw on their website.
Howard Fortner describes the security at AAAAA Rent-A-Space in Colma
as tighter than Fort Knox. So he was surprised when the cyber gate was
left wide open on the storage facility's website.
While trying to make an online payment, Fortner says he accidently
typed in someone else's storage unit number along with his password,
which is his phone number.
Up popped another customer's private information, including a name,
address, credit card, and Social Security number.
"I thought about mine's as vulnerable as that one," Fortner said. "I
tried it with a different number, and several accounts opened up."
His password opened at least five other customer profiles.
After CBS 5 alerted AAAAA Rent-A-Space to the problem, the company
worked with the Arizona software developer who created the site's
account-based program called "Web-Expres." By late Tuesday afternoon,
they found the glitch and have taken the payment system offline until
it is patched.
AAAAA Rent-A-Space says its online payment system has been up for a
year with no other incidents reported.
The company says it plans to mail out 13,000 letters about the
discovery to custmers in California and Hawaii, including those who
have items stored at the 10 Bay Area facilities.
(? MMVI, CBS Broadcasting Inc. All Rights Reserved.)
From isn at c4i.org Thu Jun 29 04:53:06 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 29 Jun 2006 03:53:06 -0500 (CDT)
Subject: [ISN] Energy CIO outlines security plans
Message-ID:
http://www.fcw.com/article95092-06-28-06-Web
By Michael Hardy
June 28, 2006
Tom Pyke, chief information officer at the Energy Department, launched
a security revitalization program there when he took the position in
November 2005. Today that program is making strides in locking
intruders out of the department's systems, he told an audience at a
luncheon hosted by Input.
DOE has been in the spotlight recently because of a successful attack
in which cyberthieves stole personal data on about 1,500 contract and
agency employees. That incident happened in July 2005, Pyke said, but
it was not reported to agency leaders until recently. The
revitalization project was not connected to that theft, he added.
The thieves used an old-fashioned "social engineering" attack, sending
an e-mail message with malicious code in an attachment. An employee
clicked on the attachment, executing software that set up a "back
door" for the thieves to access the network of the National Nuclear
Security Agency, a semi-autonomous organization within DOE.
DOE includes a network of national laboratories, and about 60 percent
of the computer systems within the department are connected to
national security, which calls for extra protection, he said.
"We have a lot of the right policies and we have very bright people,"
Pyke said. "It's just a matter of [my] helping refocus priorities."
DOE seems to be a favorite target of would-be hackers, with several
hundred thousand attempted attacks a day, he said. Most of those,
however, are routine and harmless, and fewer than 100 so far this year
have been deemed "incidents" needing a response.
The revitalization effort includes the increased use of encryption
software, regular analysis of every aspect of cybersecurity throughout
the department and the use of "red teams," employees who try to defeat
the defenses to identify weaknesses, he said.
Despite best efforts, however, agency leaders and the public need to
understand "there's no such thing as perfect cyberdefense," Pyke said.
"We have made systems so complex that there will be vulnerabilities,
and sometimes those vulnerabilities will be exploited before we can
get protection in place."
From isn at c4i.org Thu Jun 29 04:53:18 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 29 Jun 2006 03:53:18 -0500 (CDT)
Subject: [ISN] U.S. Cybersecurity Chief May Have a Conflict of Interest
Message-ID:
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/28/AR2006062801903.html
Associated Press
June 29, 2006
The Bush administration's cybersecurity chief is a contract employee
who earns $577,000 under an agreement with a private university that
does extensive business with the federal office he manages.
Donald "Andy" Purdy Jr. has been acting director of the Homeland
Security Department's National Cyber Security Division for 21 months.
His two-year contract with Carnegie Mellon University in Pittsburgh
has drawn attention from members of Congress. By comparison, the
Homeland Security secretary, Michael Chertoff, is paid $175,000
annually.
Purdy is on loan from the school to the government, which is paying
nearly all his salary. Meanwhile, Purdy's cybersecurity division has
paid Carnegie Mellon $19 million in contracts this year, almost
one-fifth of the unit's total budget.
Purdy said he has not been involved in discussions of his office's
business deals with the school. "I'm very sensitive to those kinds of
requirements," Purdy said. "It's not like Carnegie Mellon has ever
said to me, 'We want to do this or that. We want more money.' "
Some lawmakers who oversee the department questioned the decision to
hire Purdy as acting cybersecurity director. They noted enduring
criticism by industry experts and congressional investigators over the
department's performance on cybersecurity matters.
Purdy's contract "raises questions about whether the American people
are getting their money's worth," Democratic Reps. Bennie Thompson of
Mississippi and Loretta Sanchez and Zoe Lofgren, both of California,
wrote in a letter to Republicans.
Purdy, a longtime lawyer, has held a number of state and federal legal
and managerial jobs. He has no formal technical background in computer
security.
Purdy controls a budget of about $107 million and as many as 44
full-time federal employees. He said his salary is commensurate with
those of some other government contractors.
Purdy's former boss and predecessor as cybersecurity chief, Amit
Yoran, earned $131,342 before he resigned abruptly in October 2004.
Chertoff agreed one year ago to create a position of assistant
secretary over cybersecurity. The job is unfilled, a point of
consternation among many security experts.
Carnegie Mellon is highly regarded among experts who study hacker
attacks and software flaws. The university declined to comment on
Purdy's salary, citing employee confidentiality. It said it has
avoided discussing government contracts with Purdy in his role as
chief of the cybersecurity office that awards those contracts.
The department said Purdy consulted with ethics lawyers when he signed
his employment contract. Purdy is so careful about avoiding potential
conflicts that he leaves the room when employees discuss contracts
related to Carnegie Mellon's work, said one DHS official, who spoke on
the condition of anonymity because this official is not authorized to
speak with reporters.
? 2006 The Washington Post Company
From isn at c4i.org Thu Jun 29 04:53:31 2006
From: isn at c4i.org (InfoSec News)
Date: Thu, 29 Jun 2006 03:53:31 -0500 (CDT)
Subject: [ISN] Sale of Digital Security Firm Said to Be Near
Message-ID:
http://www.nytimes.com/2006/06/29/technology/29deal.html
By ANDREW ROSS SORKIN and JOHN MARKOFF
June 29, 2006
RSA Security, a pioneering digital security company, quietly put
itself up for sale several months ago and is now near a deal with EMC
or at least one other bidder, people involved in the auction process
said last night.
A deal, possibly worth more than $1.8 billion, could be reached in a
few days, these people said. The company has a market value of $1.46
billion.
RSA's board is expected to meet before the weekend to review final
bids, these people said. They cautioned, however, that it remained
possible that RSA could still decide against a sale.
It could not be learned last night who was competing against EMC, the
data storage giant.
RSA, based in Bedford, Mass., makes physical security cards under the
SecurID brand that are widely used in authentication systems at
corporations around the world. The company is also active in
developing antifraud technologies and a variety of encryption systems.
RSA takes its name from the initials of its three founders: Ronald
Rivest, Adi Shamir and Leonard Adelman. The three, who are academic
researchers, are leading figures in the field of cryptography who
developed an important algorithm in a technology known as public key
cryptography.
The company became a commercial success largely through the efforts of
an early chief executive, Jim Bidzos, who became an outspoken advocate
of commercial cryptography in the face of government opposition. He
struck an early deal to use RSA technology in the Netscape browser.
Today, the company has $322 million in annual revenue and $40.5
million in net income.
RSA is widely known for sponsoring the RSA Security conference, a
trade show and conference that has become the focus of the computer
security industry.
Shares of the RSA closed yesterday at $19.36, up 15 cents.
From isn at c4i.org Fri Jun 30 12:35:54 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 30 Jun 2006 11:35:54 -0500 (CDT)
Subject: [ISN] Hacker breaks into Treasurer's Office
Message-ID:
http://www.journalstar.com/articles/2006/06/29/local/doc44a3fa6c4f795799631319.txt
By NATE JENKINS
Lincoln Journal Star
June 30, 2006
Personal and financial information of more than 300,000 people may be
in the hands of a hacker following a Wednesday break-in of the state
computer system that processes child-support payments.
A preliminary investigation of the incident suggests that the hacker
did not download the information, said State Treasurer Ron Ross. But
the possibility does exist.
"Based upon the method of attack, it is more likely the hacker's
intent was not to steal information, but rather to do something
malicious since the hacker inserted a virus onto the server, which we
immediately removed," Ross said.
The child-support payment system was centralized in the treasurer's
office five years ago and now processes $1 million in transactions
daily. Identity information potentially stolen by the hacker, which
investigators believe may be based outside the U.S. and possibly in
Asia, includes: names, addresses, bank account numbers, social
security numbers and tax identification numbers.
Roughly 300,000 individuals and 9,000 employers may be affected. Ross
said it was the first time the computer system, called KidCare, had
been hacked. He was not aware of similar security breaches in other
states.
The break-in, which Ross said lasted about 40 minutes, was detected by
an employee after coming to work Wednesday morning. The system is not
monitored 24 hours a day by a person.
The State Patrol has initiated a full investigation that could include
help from the FBI and other agencies. Ross pledged to "get to the
bottom of it" and implement new safeguards to prevent future
break-ins. But that won't likely include round-the-clock monitoring of
the system by a person.
"I don't think we're at a point in government we want somebody
standing by a computer screen 24-7, but we do need protocols in
place," Ross said.
"We thought we had good safeguards...somebody got in a door we didn't
think they'd be able to get into."
The hard drive and server affected by the breach were immediately
replaced.
Unlike many arms of state government, the child-support system is not
part of the state's centrally controlled computer system, said Brenda
Decker, chief information officer for the state. The incident will
prompt state officials to take a closer look at whether it should be.
"We're working with the State Patrol to see if we can make this as
secure and hardened as the rest of the system," Decker said.
Asked during a press conference if the child-support system had the
best available security system, Ross said he believed it did.
Those who pay or receive child-support should closely monitor their
bank accounts, and are advised to close them if the see suspicious
activity.
? 2002-2006, Lincoln Journal Star. All rights reserved.
From isn at c4i.org Fri Jun 30 12:36:20 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 30 Jun 2006 11:36:20 -0500 (CDT)
Subject: [ISN] Secunia Weekly Summary - Issue: 2006-26
Message-ID:
========================================================================
The Secunia Weekly Advisory Summary
2006-06-22 - 2006-06-29
This week: 88 advisories
========================================================================
Table of Contents:
1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing
========================================================================
1) Word From Secunia:
The Secunia staff is spending hours every day to assure you the best
and most reliable source for vulnerability information. Every single
vulnerability report is being validated and verified before a Secunia
advisory is written.
Secunia validates and verifies vulnerability reports in many different
ways e.g. by downloading the software and performing comprehensive
tests, by reviewing source code, or by validating the credibility of
the source from which the vulnerability report was issued.
As a result, Secunia's database is the most correct and complete source
for recent vulnerability information available on the Internet.
Secunia Online Vulnerability Database:
http://secunia.com/
========================================================================
2) This Week in Brief:
Plebo Aesdi Nael has discovered two vulnerabilities in Internet
Explorer, which can be exploited by malicious people to disclose
potentially sensitive information and potentially compromise a user's
system.
Secunia has constructed a test for one of the issues, which is
available at:
http://secunia.com/internet_explorer_information_disclosure_vulnerability_test/
Additional details can be found in the referenced Secunia advisory.
Reference:
http://secunia.com/SA20825
--
VigilantMinds has reported a vulnerability in the Opera browser, which
potentially can be exploited by malicious people to compromise a
user's system.
Additionally, a weakness has also been reported, which can be
exploited to display the SSL certificate from a trusted site on an
untrusted site.
Further details are available in the referenced Secunia advisories.
References:
http://secunia.com/SA20787
http://secunia.com/SA19480
--
Two vulnerabilities have been reported in various F-Secure Antivirus
products, which can be exploited by malware to bypass the scanning
functionality.
The vendor has released patches, which corrects these vulnerabilities.
Please refer to referenced Secunia advisory for additional details.
Reference:
http://secunia.com/SA20858
--
VIRUS ALERTS:
During the past week Secunia collected 253 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.
========================================================================
3) This Weeks Top Ten Most Read Advisories:
1. [SA20748] Microsoft Windows Hyperlink Object Library Buffer
Overflow
2. [SA20722] WinAmp MIDI File Handling Buffer Overflow Vulnerability
3. [SA20686] Microsoft Excel Repair Mode Code Execution Vulnerability
4. [SA20787] Opera JPEG Processing Integer Overflow Vulnerability
5. [SA20825] Internet Explorer Information Disclosure and HTA
Application Execution
6. [SA20153] Microsoft Word Malformed Object Pointer Vulnerability
7. [SA20773] Yahoo! Messenger Denial of Service Weakness
8. [SA20789] Cisco CallManager RealVNC Password Authentication Bypass
9. [SA20723] IBM HMC Sendmail and OpenSSH Vulnerabilities
10. [SA20783] GnuPG "parse-packet.c" Denial of Service Vulnerability
========================================================================
4) Vulnerabilities Summary Listing
Windows:
[SA20862] Nokia PC Suite CDDBControl ActiveX Control Buffer Overflow
[SA20861] Gracenote CDDBControl ActiveX Control Buffer Overflow
[SA20789] Cisco CallManager RealVNC Password Authentication Bypass
[SA20858] F-Secure Antivirus Products Scanning Bypass Vulnerability
[SA20855] Lotus Domino Malformed vCal Processing Denial of Service
[SA20851] Icculus.org Quake3 Engine Two Vulnerabilities
[SA20790] MailEnable SMTP Service HELO Denial of Service
[SA20777] Webmin Directory Traversal Vulnerability
[SA20825] Internet Explorer Information Disclosure and HTA Application
Execution
[SA20856] CA Products Scan Job Description Format String Vulnerability
[SA20816] Cisco Secure ACS Session Management Security Issue
[SA20794] Trend Micro Control Manager "Username" Script Insertion
[SA20830] Lanap BotDetect ASP.NET CAPTCHA Bypass Weakness
UNIX/Linux:
[SA20879] Mandriva update for mutt
[SA20866] Mandriva update for tetex
[SA20854] Gentoo update for mutt
[SA20850] Gentoo update for tikiwiki
[SA20846] Gentoo update for hashcash
[SA20844] Gentoo update for wv2
[SA20837] Gentoo update for emech
[SA20836] Ubuntu update for mutt
[SA20831] rPath update for kernel
[SA20829] Mandriva update for gnupg
[SA20828] Mandriva update for xine-lib
[SA20826] Mandriva update for wv2
[SA20824] Mandriva update for libwmf
[SA20811] Slackware update for gnupg
[SA20810] Mutt IMAP Namespace Buffer Overflow Vulnerability
[SA20805] EnergyMech "parse_notice" Denial of Service Vulnerability
[SA20801] Ubuntu update for gnupg
[SA20800] Hashcash "array_push" Buffer Overflow Vulnerability
[SA20792] Debian update for courier
[SA20791] SUSE update for freetype2
[SA20783] GnuPG "parse-packet.c" Denial of Service Vulnerability
[SA20782] SGI Advanced Linux Environment Multiple Updates
[SA20853] Mandriva update for gd
[SA20849] Gentoo update for horde
[SA20848] Ubuntu update for OpenLDAP
[SA20840] cPanel "file" Parameter Cross-Site Scripting Vulnerability
[SA20788] phpQLAdmin "domain" Cross-Site Scripting Vulnerability
[SA20871] Ubuntu update for mysql-server
[SA20832] Mandriva update for MySQL
[SA20869] Slackware update for kdebase
[SA20868] Slackware update for arts
[SA20827] Mandriva update for arts
[SA20786] Gentoo update for aRts
[SA20785] Gentoo update for kdebase / KDM
[SA20834] Debian update for pinball
[SA20818] PHP "error_log()" Safe Mode Bypass Weakness
[SA20809] HP-UX Kernel Denial of Service Vulnerability
[SA20778] Emilia Pinball Compiled Plugins Loading Vulnerability
Other:
[SA20860] Cisco Wireless Access Point Web Management Vulnerability
Cross Platform:
[SA20823] Mambo MOD_CBSMS Module File Inclusion Vulnerability
[SA20819] Mambo Pearl For Mambo Module File Inclusion Vulnerabilities
[SA20815] phpBB THoRCMS Add-On "phpbb_root_path" File Inclusion
[SA20814] Bee-hive Lite Multiple File Inclusion Vulnerabilities
[SA20812] PrivateWire Registration Functionality Buffer Overflow
[SA20787] Opera JPEG Processing Integer Overflow Vulnerability
[SA20784] Helix DNA Server Heap Corruption Vulnerabilities
[SA20779] W-Agora Multiple File Inclusion Vulnerabilities
[SA20857] Scout Portal Toolkit "forumid" Parameter SQL Injection
[SA20847] MF Piadas "page" Parameter File Inclusion Vulnerability
[SA20842] Jaws Cross-Site Scripting and SQL Injection
[SA20839] Custom dating biz dating script Multiple Vulnerabilities
[SA20838] Anthill SQL Injection Vulnerabilities
[SA20813] DeluxeBB Cross-Site Scripting and SQL Injection
[SA20806] ICT "post" Parameter SQL Injection Vulnerability
[SA20802] Softbiz Dating Script SQL Injection Vulnerabilities
[SA20796] Open Guestbook Cross-Site Scripting and SQL Injection
[SA20795] MyBB "showcodebuttons" SQL Injection Vulnerability
[SA20793] IBM WebSphere Application Server Two Vulnerabilities
[SA20780] YaBB SE "user" SQL Injection Vulnerability
[SA20872] Metalhead Usenet Script "group" Cross-Site Scripting
[SA20863] Hostflow Help Desk Script Insertion Vulnerability
[SA20843] Phorum Cross-Site Scripting Vulnerability
[SA20841] SiteBar "command" Cross-Site Scripting Vulnerability
[SA20835] Sun Java System Application Server Cross-Site Scripting
[SA20833] Dating Agent PRO Cross-Site Scripting and Information
Exposure
[SA20822] dotProject "login" Parameter Cross-Site Scripting
Vulnerability
[SA20821] Namo DeepSearch "p" Parameter Cross-Site Scripting
[SA20820] aeDating Multiple Cross-Site Scripting Vulnerabilities
[SA20817] Claroline Unspecified Cross-Site Scripting Vulnerability
[SA20808] Qdig Cross-Site Scripting Vulnerabilities
[SA20804] UebiMiau Cross-Site Scripting Vulnerabilities
[SA20803] mvnForum "activatemember" Cross-Site Scripting
[SA20798] H-Sphere Multiple Cross-Site Scripting Vulnerabilities
[SA20797] XennoBB "tid" Cross-Site Scripting Vulnerability
[SA20781] GL-SH Deaf Forum show.php Cross-Site Scripting
========================================================================
5) Vulnerabilities Content Listing
Windows:--
[SA20862] Nokia PC Suite CDDBControl ActiveX Control Buffer Overflow
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-28
A vulnerability has been reported in Nokia PC Suite, which can be
exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20862/
--
[SA20861] Gracenote CDDBControl ActiveX Control Buffer Overflow
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-28
A vulnerability has been reported in GraceNote CDDBControl ActiveX
Control, which can be exploited by malicious people to compromise a
user's system.
Full Advisory:
http://secunia.com/advisories/20861/
--
[SA20789] Cisco CallManager RealVNC Password Authentication Bypass
Critical: Highly critical
Where: From remote
Impact: Security Bypass
Released: 2006-06-23
Cisco has acknowledged a vulnerability in Cisco CallManager, which can
be exploited by malicious people to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/20789/
--
[SA20858] F-Secure Antivirus Products Scanning Bypass Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Security Bypass
Released: 2006-06-28
Two vulnerabilities have been reported in various F-Secure Antivirus
products, which can be exploited by malware to bypass the scanning
functionality.
Full Advisory:
http://secunia.com/advisories/20858/
--
[SA20855] Lotus Domino Malformed vCal Processing Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-28
Ollie Whitehouse has reported a vulnerability in Lotus Domino, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20855/
--
[SA20851] Icculus.org Quake3 Engine Two Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, DoS, System access
Released: 2006-06-28
Luigi Auriemma has reported two vulnerabilities in Icculus.org Quake3,
which can be exploited by malicious people to bypass certain security
restrictions, cause a DoS (Denial of Service), and potentially to
compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20851/
--
[SA20790] MailEnable SMTP Service HELO Denial of Service
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-26
DivisionByZero has reported a vulnerability in MailEnable, which can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20790/
--
[SA20777] Webmin Directory Traversal Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information
Released: 2006-06-23
Keigo Yamazaki has reported a vulnerability Webmin, which can be
exploited by malicious people to disclose potentially sensitive
information.
Full Advisory:
http://secunia.com/advisories/20777/
--
[SA20825] Internet Explorer Information Disclosure and HTA Application
Execution
Critical: Less critical
Where: From remote
Impact: Exposure of sensitive information, System access
Released: 2006-06-27
Plebo Aesdi Nael has discovered two vulnerabilities in Internet
Explorer, which can be exploited by malicious people to disclose
potentially sensitive information and potentially compromise a user's
system.
Full Advisory:
http://secunia.com/advisories/20825/
--
[SA20856] CA Products Scan Job Description Format String Vulnerability
Critical: Less critical
Where: From local network
Impact: DoS, System access
Released: 2006-06-28
A vulnerability has been reported in some CA products, which can be
exploited by malicious users to cause a DoS (Denial of Service) and
potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20856/
--
[SA20816] Cisco Secure ACS Session Management Security Issue
Critical: Less critical
Where: From local network
Impact: Security Bypass
Released: 2006-06-26
Darren Bounds has reported a security issue in Cisco Secure ACS, which
can be exploited by malicious people to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/20816/
--
[SA20794] Trend Micro Control Manager "Username" Script Insertion
Critical: Less critical
Where: From local network
Impact: Cross Site Scripting
Released: 2006-06-27
Darren Bounds has discovered a vulnerability in Trend Micro Control
Manager, which can be exploited by malicious people to conduct script
insertion attacks.
Full Advisory:
http://secunia.com/advisories/20794/
--
[SA20830] Lanap BotDetect ASP.NET CAPTCHA Bypass Weakness
Critical: Not critical
Where: From remote
Impact: Security Bypass
Released: 2006-06-26
Michael White and Graham Murphy have reported a weakness in Lanap
BotDetect ASP.NET, which can be exploited by malicious people to bypass
certain security restrictions.
Full Advisory:
http://secunia.com/advisories/20830/
UNIX/Linux:--
[SA20879] Mandriva update for mutt
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-29
Mandriva has issued an update for mutt. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20879/
--
[SA20866] Mandriva update for tetex
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-28
Mandriva has issued an update for tetex. This fixes some
vulnerabilities, which potentially can be exploited by malicious people
to cause a DoS (Denial of Service) and to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/20866/
--
[SA20854] Gentoo update for mutt
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-29
Gentoo has issued an update for mutt. This fixes a vulnerability, which
can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20854/
--
[SA20850] Gentoo update for tikiwiki
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-29
Gentoo has issued an update for tikiwiki. This fixes some
vulnerabilities, which can be exploited by malicious people to conduct
cross-site scripting and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20850/
--
[SA20846] Gentoo update for hashcash
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-27
Gentoo has issued an update for hashcash. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20846/
--
[SA20844] Gentoo update for wv2
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-06-26
Gentoo has issued an update for wv2. This fixes a vulnerability, which
potentially can be exploited by malicious people to compromise an
application using the library.
Full Advisory:
http://secunia.com/advisories/20844/
--
[SA20837] Gentoo update for emech
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-27
Gentoo has issued an update for emech. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20837/
--
[SA20836] Ubuntu update for mutt
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-28
Ubuntu has issued an update for mutt. This fixes a vulnerability, which
can be exploited by malicious people to cause a DoS (Denial of Service)
and potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20836/
--
[SA20831] rPath update for kernel
Critical: Moderately critical
Where: From remote
Impact: Exposure of system information, Exposure of sensitive
information, DoS
Released: 2006-06-26
rPath has released an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
disclose potentially sensitive information and cause a DoS (Denial of
Service), and by malicious people to cause a DoS.
Full Advisory:
http://secunia.com/advisories/20831/
--
[SA20829] Mandriva update for gnupg
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-26
Mandriva has issued an update for gnupg. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).
Full Advisory:
http://secunia.com/advisories/20829/
--
[SA20828] Mandriva update for xine-lib
Critical: Moderately critical
Where: From remote
Impact: System access, DoS
Released: 2006-06-26
Mandriva has issued an update for xine-lib. This fixes a weakness,
which can be exploited by malicious people to crash certain
applications on a user's system
Full Advisory:
http://secunia.com/advisories/20828/
--
[SA20826] Mandriva update for wv2
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-06-26
Mandriva has issued an update for wv2. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise an
application using the library.
Full Advisory:
http://secunia.com/advisories/20826/
--
[SA20824] Mandriva update for libwmf
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-06-28
Mandriva has issued an update for libwmf. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/20824/
--
[SA20811] Slackware update for gnupg
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-28
Slackware has issued an update for gnupg. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).
Full Advisory:
http://secunia.com/advisories/20811/
--
[SA20810] Mutt IMAP Namespace Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-26
TAKAHASHI Tamotsu has reported a vulnerability in Mutt, which can be
exploited by malicious people to cause a DoS (Denial of Service) and
potentially compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20810/
--
[SA20805] EnergyMech "parse_notice" Denial of Service Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-27
A vulnerability has been reported in EnergyMech, which can be exploited
by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20805/
--
[SA20801] Ubuntu update for gnupg
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-27
Ubuntu has issued an update for gnupg. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).
Full Advisory:
http://secunia.com/advisories/20801/
--
[SA20800] Hashcash "array_push" Buffer Overflow Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-27
A vulnerability has been reported in Hashcash, which can be exploited
by malicious people to cause a DoS (Denial of Service) and potentially
to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20800/
--
[SA20792] Debian update for courier
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-23
Debian has issued an update for courier. This fixes a vulnerability,
which potentially can be exploited by malicious people to cause a DoS
(Denial of Service).
Full Advisory:
http://secunia.com/advisories/20792/
--
[SA20791] SUSE update for freetype2
Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-27
SUSE has issued an update for freetype2. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and potentially compromise applications using
the library.
Full Advisory:
http://secunia.com/advisories/20791/
--
[SA20783] GnuPG "parse-packet.c" Denial of Service Vulnerability
Critical: Moderately critical
Where: From remote
Impact: DoS
Released: 2006-06-23
A vulnerability has been reported in GnuPG, which potentially can be
exploited by malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20783/
--
[SA20782] SGI Advanced Linux Environment Multiple Updates
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Manipulation of data, Exposure of system
information, Privilege escalation, DoS
Released: 2006-06-23
SGI has issued a patch for SGI Advanced Linux Environment. This fixes
some vulnerabilities, a weakness, and two security issues, which can be
exploited by malicious, local users to perform certain actions with
escalated privileges, to bypass certain security restrictions, and to
cause a DoS (Denial of Service), and by malicious people to bypass
certain security restrictions, to disclose system information, to cause
a DoS (Denial of Service), and to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20782/
--
[SA20853] Mandriva update for gd
Critical: Less critical
Where: From remote
Impact: DoS
Released: 2006-06-28
Mandriva has issued an update for gd. This fixes a vulnerability, which
potentially can be exploited by malicious people to cause a DoS (Denial
of Service) against applications and services using libgd.
Full Advisory:
http://secunia.com/advisories/20853/
--
[SA20849] Gentoo update for horde
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-29
Gentoo has issued an update for horde. This fixes some vulnerabilities,
which can be exploited by malicious people to conduct cross-site
scripting attacks.
Full Advisory:
http://secunia.com/advisories/20849/
--
[SA20848] Ubuntu update for OpenLDAP
Critical: Less critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-27
Ubuntu has issued an update for OpenLDAP. This fixes a vulnerability,
which potentially can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/20848/
--
[SA20840] cPanel "file" Parameter Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-27
Preth00nker has reported a vulnerability in cPanel, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20840/
--
[SA20788] phpQLAdmin "domain" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-26
r0t has reported some vulnerabilities in phpQLAdmin, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20788/
--
[SA20871] Ubuntu update for mysql-server
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2006-06-28
Ubuntu has issued an update for mysql-server. This fixes a
vulnerability, which can be exploited by malicious users to cause a DoS
(Denial of Service).
Full Advisory:
http://secunia.com/advisories/20871/
--
[SA20832] Mandriva update for MySQL
Critical: Less critical
Where: From local network
Impact: DoS
Released: 2006-06-26
Mandriva has issued an update for MySQL. This fixes a vulnerability,
which can be exploited by malicious users to cause a DoS (Denial of
Service).
Full Advisory:
http://secunia.com/advisories/20832/
--
[SA20869] Slackware update for kdebase
Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2006-06-28
Slackware has issued an update for kdebase. This fixes a vulnerability,
which can be exploited by malicious, local users to gain knowledge of
sensitive information.
Full Advisory:
http://secunia.com/advisories/20869/
--
[SA20868] Slackware update for arts
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-06-28
Slackware has issued an update for arts. This fixes a vulnerability,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.
Full Advisory:
http://secunia.com/advisories/20868/
--
[SA20827] Mandriva update for arts
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-06-26
Mandriva has issued an update for arts. This fixes a security issue,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.
Full Advisory:
http://secunia.com/advisories/20827/
--
[SA20786] Gentoo update for aRts
Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2006-06-23
Gentoo has issued an update for aRts. This fixes a security issue,
which potentially can be exploited by malicious, local users to perform
certain actions with escalated privileges.
Full Advisory:
http://secunia.com/advisories/20786/
--
[SA20785] Gentoo update for kdebase / KDM
Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information
Released: 2006-06-23
Gentoo has issued an update for kdebase / KDM. This fixes a
vulnerability, which can be exploited by malicious, local users to gain
knowledge of sensitive information.
Full Advisory:
http://secunia.com/advisories/20785/
--
[SA20834] Debian update for pinball
Critical: Not critical
Where: Local system
Impact: Privilege escalation
Released: 2006-06-26
Debian has issued an update for pinball. This fixes a vulnerability,
which can be exploited by malicious, local users to gain escalated
privileges.
Full Advisory:
http://secunia.com/advisories/20834/
--
[SA20818] PHP "error_log()" Safe Mode Bypass Weakness
Critical: Not critical
Where: Local system
Impact: Security Bypass
Released: 2006-06-26
Maksymilian Arciemowicz has discovered a weakness in PHP, which can be
exploited by malicious, local users to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/20818/
--
[SA20809] HP-UX Kernel Denial of Service Vulnerability
Critical: Not critical
Where: Local system
Impact: DoS
Released: 2006-06-27
A vulnerability has been reported in HP-UX, which can be exploited by
malicious people to cause a DoS (Denial of Service).
Full Advisory:
http://secunia.com/advisories/20809/
--
[SA20778] Emilia Pinball Compiled Plugins Loading Vulnerability
Critical: Not critical
Where: Local system
Impact: Privilege escalation
Released: 2006-06-26
A vulnerability has been reported in Pinball, which can be exploited by
malicious, local users to gain escalated privileges.
Full Advisory:
http://secunia.com/advisories/20778/
Other:--
[SA20860] Cisco Wireless Access Point Web Management Vulnerability
Critical: Less critical
Where: From local network
Impact: Security Bypass
Released: 2006-06-29
A vulnerability has been reported in Cisco Wireless Access Point, which
can be exploited by malicious people to bypass certain security
restrictions.
Full Advisory:
http://secunia.com/advisories/20860/
Cross Platform:--
[SA20823] Mambo MOD_CBSMS Module File Inclusion Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-27
Kw3[R]Ln has discovered a vulnerability in the MOD_CBSMS module for
Mambo, which can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/20823/
--
[SA20819] Mambo Pearl For Mambo Module File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-28
Kw3[R]Ln has discovered some vulnerabilities in the Pearl For Mambo
module for Mambo, which can be exploited by malicious people to
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20819/
--
[SA20815] phpBB THoRCMS Add-On "phpbb_root_path" File Inclusion
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-26
Kw3[R]Ln has reported a vulnerability in the "THoRCMS" add-on for
phpBB, which can be exploited by malicious people to compromise a
vulnerable system.
Full Advisory:
http://secunia.com/advisories/20815/
--
[SA20814] Bee-hive Lite Multiple File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-26
Kw3[R]Ln has discovered some vulnerabilities in Bee-hive Lite, which
can be exploited by malicious people to compromise a vulnerable
system.
Full Advisory:
http://secunia.com/advisories/20814/
--
[SA20812] PrivateWire Registration Functionality Buffer Overflow
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-27
Michael Thumann has reported a vulnerability in PrivateWire, which can
be exploited by malicious people to cause a DoS and potentially
compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20812/
--
[SA20787] Opera JPEG Processing Integer Overflow Vulnerability
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-23
VigilantMinds has reported a vulnerability in Opera browser, which can
be exploited by malicious people to compromise a user's system.
Full Advisory:
http://secunia.com/advisories/20787/
--
[SA20784] Helix DNA Server Heap Corruption Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2006-06-26
Mu Security research team has reported two vulnerabilities in Helix DNA
Server, which can be exploited by malicious people to cause a DoS
(Denial of Service) and potentially compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20784/
--
[SA20779] W-Agora Multiple File Inclusion Vulnerabilities
Critical: Highly critical
Where: From remote
Impact: System access
Released: 2006-06-23
Dedi Dwianto has discovered some vulnerabilities in W-Agora, which can
be exploited by malicious people to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20779/
--
[SA20857] Scout Portal Toolkit "forumid" Parameter SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-28
Simo64 has discovered a vulnerability in Scout Portal Toolkit, which
can be exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20857/
--
[SA20847] MF Piadas "page" Parameter File Inclusion Vulnerability
Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2006-06-28
Kurdish Security has discovered a vulnerability in MF Piadas, which can
be exploited by malicious users to compromise a vulnerable system.
Full Advisory:
http://secunia.com/advisories/20847/
--
[SA20842] Jaws Cross-Site Scripting and SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-27
rgod has discovered some vulnerabilities in Jaws, which can be
exploited by malicious people to conduct cross-site scripting attacks
and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20842/
--
[SA20839] Custom dating biz dating script Multiple Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-26
luny has reported some vulnerabilities in Custom dating biz dating
script, which can be exploited by malicious people to conduct
cross-site scripting and script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20839/
--
[SA20838] Anthill SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-26
r0t has discovered two vulnerabilities in Anthill, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20838/
--
[SA20813] DeluxeBB Cross-Site Scripting and SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, Manipulation of
data
Released: 2006-06-26
Two vulnerabilities have been discovered in DeluxeBB, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/20813/
--
[SA20806] ICT "post" Parameter SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-26
r0t has reported a vulnerability in ICT, which can be exploited by
malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20806/
--
[SA20802] Softbiz Dating Script SQL Injection Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-26
Ellipsis Security has reported some vulnerabilities in Softbiz Dating
Script, which can be exploited by malicious people to conduct SQL
injection attacks.
Full Advisory:
http://secunia.com/advisories/20802/
--
[SA20796] Open Guestbook Cross-Site Scripting and SQL Injection
Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2006-06-27
Moroccan Security Team has discovered two vulnerabilities in Open
Guestbook, which can be exploited by malicious people to conduct
cross-site scripting and SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20796/
--
[SA20795] MyBB "showcodebuttons" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Manipulation of data
Released: 2006-06-26
imei addmimistrator has reported a vulnerability in MyBB, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20795/
--
[SA20793] IBM WebSphere Application Server Two Vulnerabilities
Critical: Moderately critical
Where: From remote
Impact: Unknown, Exposure of sensitive information
Released: 2006-06-27
Two vulnerabilities have been reported in IBM WebSphere Application
Server, where one has an unknown impact and the other can be exploited
by malicious people to gain knowledge of sensitive information.
Full Advisory:
http://secunia.com/advisories/20793/
--
[SA20780] YaBB SE "user" SQL Injection Vulnerability
Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2006-06-23
Sam Thomas has discovered a vulnerability in YaBB SE, which can be
exploited by malicious people to conduct SQL injection attacks.
Full Advisory:
http://secunia.com/advisories/20780/
--
[SA20872] Metalhead Usenet Script "group" Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-28
luny has reported a vulnerability in Metalhead Usenet Script, which can
be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20872/
--
[SA20863] Hostflow Help Desk Script Insertion Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-28
r0t has reported a vulnerability in Hostflow, which can be exploited by
malicious users to conduct script insertion attacks.
Full Advisory:
http://secunia.com/advisories/20863/
--
[SA20843] Phorum Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-27
A vulnerability has been reported in Phorum, which can be exploited by
malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20843/
--
[SA20841] SiteBar "command" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-28
Botan has discovered a vulnerability in SiteBar, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20841/
--
[SA20835] Sun Java System Application Server Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-26
A vulnerability has been reported in Sun Java System Application
Server, which can be exploited by malicious people to conduct
cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20835/
--
[SA20833] Dating Agent PRO Cross-Site Scripting and Information
Exposure
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting, Exposure of system information
Released: 2006-06-26
Ellipsis Security has reported some vulnerabilities and a weakness in
Dating Agent PRO, which can be exploited by malicious people to
disclose system information and conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20833/
--
[SA20822] dotProject "login" Parameter Cross-Site Scripting
Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-26
A vulnerability has been reported in dotProject, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20822/
--
[SA20821] Namo DeepSearch "p" Parameter Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-26
Kil13r has reported a vulnerability in Namo DeepSearch, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20821/
--
[SA20820] aeDating Multiple Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-26
Ellipsis Security has reported some vulnerabilities in aeDating, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20820/
--
[SA20817] Claroline Unspecified Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-27
securitynews has reported a vulnerability in Claroline, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20817/
--
[SA20808] Qdig Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-26
Two vulnerabilities have been discovered in Qdig, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20808/
--
[SA20804] UebiMiau Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-26
r0t has reported some vulnerabilities in UebiMiau, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20804/
--
[SA20803] mvnForum "activatemember" Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-26
r0t has reported some vulnerabilities in mvnForum, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20803/
--
[SA20798] H-Sphere Multiple Cross-Site Scripting Vulnerabilities
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-27
r0t has reported some vulnerabilities in H-Sphere, which can be
exploited by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20798/
--
[SA20797] XennoBB "tid" Cross-Site Scripting Vulnerability
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-26
r0t has discovered a vulnerability in XennoBB, which can be exploited
by malicious people to conduct cross-site scripting attacks.
Full Advisory:
http://secunia.com/advisories/20797/
--
[SA20781] GL-SH Deaf Forum show.php Cross-Site Scripting
Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2006-06-26
Some vulnerabilities have been discovered in GL-SH Deaf Forum, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Full Advisory:
http://secunia.com/advisories/20781/
========================================================================
Secunia recommends that you verify all advisories you receive,
by clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only use
those supplied by the vendor.
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Subscribe:
http://secunia.com/secunia_weekly_summary/
Contact details:
Web : http://secunia.com/
E-mail : support at secunia.com
Tel : +45 70 20 51 44
Fax : +45 70 20 51 45
From isn at c4i.org Fri Jun 30 12:36:31 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 30 Jun 2006 11:36:31 -0500 (CDT)
Subject: [ISN] EMC to buy RSA for $2.1 billion
Message-ID:
http://news.com.com/EMC+to+buy+RSA+for+2.1+billion/2100-7350_3-6089665.html
By Joris Evers
Staff Writer, CNET News.com
June 29, 2006
update: Data storage specialist EMC has agreed to acquire digital
security company RSA Security for slightly less than $2.1 billion.
EMC will pay $28 in cash for each share of RSA and the assumption of
outstanding options, the Hopkinton, Mass., company said Thursday in a
statement. That brings the aggregate purchase price to just under $2.1
billion, net of RSA's existing cash balance, it said.
With the takeover, EMC said, it will create a company that can help
organizations securely manage their information. EMC is a large
provider of data storage products, while RSA sells identity and access
management technologies, such as its SecurID tokens, as well as
encryption and key management software.
"EMC is where information lives and tomorrow EMC will be the company
where information lives securely," Joe Tucci, chief executive of the
data storage maker, said on a conference call.
During the conference call, Tucci faced heat from financial analysts
who questioned the relatively high price paid for RSA and the reasons
for acquiring the company.
"This company and this space are incredibly hot," Tucci said in
response to the critique. "This was critical technology. I am telling
you this was very competitive. Not having it would have put us at a
severe disadvantage, and others that might have bought it would not
have wanted to share it with us."
To grow its business, EMC needs to integrate data storage and
security, Tucci said. "That is mandatory and if you don't do it right,
you fall off. The whole name of the game here is how you build
continued value for the long shot."
The announcement of the deal came after RSA Security earlier on
Thursday issued a statement saying that it was in negotiations with
unnamed parties on a potential strategic deal. That statement followed
a New York Times report that said EMC was close to buying the digital
security company. RSA put itself up for auction several months ago,
the newspaper said.
The acquisition is expected to be completed late in the third quarter
or early in the fourth quarter of 2006, subject to customary closing
conditions and regulatory approvals, EMC said. Upon completion of the
deal, RSA will operate as EMC's Information Security Division,
headquartered in Bedford, Mass.
Art Coviello, RSA's current president and CEO, will become an
executive vice president of EMC and president of the division.
From isn at c4i.org Fri Jun 30 12:36:45 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 30 Jun 2006 11:36:45 -0500 (CDT)
Subject: [ISN] 'Blue Pill' Prototype Creates 100% Undetectable Malware
Message-ID:
http://www.eweek.com/article2/0,1895,1983037,00.asp
By Ryan Naraine
June 28, 2006
A security researcher with expertise in rootkits has built a working
prototype of new technology that is capable of creating malware that
remains "100 percent undetectable," even on Windows Vista x64 systems.
Joanna Rutkowska, a stealth malware researcher at Singapore-based IT
security firm COSEINC, says the new Blue Pill concept uses AMD's
SVM/Pacifica virtualization technology to create an ultra-thin
hypervisor that takes complete control of the underlying operating
system.
Rutkowska plans to discuss the idea and demonstrate a working
prototype for Windows Vista x64 at the SyScan Conference in Singapore
on July 21 and at the Black Hat Briefings in Las Vegas on Aug. 3.
The Black Hat presentation will occur on the same day Microsoft is
scheduled to show off some of the key security features and
functionality being fitted into Vista.
Rutkowska said the presentation will deal with a "generic method" of
inserting arbitrary code into the Vista Beta 2 kernel (x64 edition)
without relying on any implementation bug.
The technique effectively bypasses a crucial anti-rootkit policy
change coming in Windows Vista that requires kernel-mode software to
have a digital signature to load on x64-based systems.
The idea of a virtual machine rootkit isn't entirely new. Researchers
at Microsoft Research and the University of Michigan have created a
VM-based rootkit called "SubVirt" that is nearly impossible to detect
because its state cannot be accessed by security software running in
the target system.
Now, Rutkowska is pushing the envelope even more, arguing that the
only way Blue Pill can be detected is if AMD's Pacifica technology is
flawed.
"The strength of the Blue Pill is based on the SVM technology,"
Rutkowska explained on her Invisible Things blog. She contends that if
generic detection could be written for the virtual machine technology,
then Blue Pill can be detected, but it also means that Pacifica is
"buggy."
"On the other hand?if you would not be able to come up with a general
detection technique for SVM based virtual machine, then you should
assume, that you would also not be able to detect Blue Pill," she
added.
"The idea behind Blue Pill is simple: your operating system swallows
the Blue Pill and it awakes inside the Matrix controlled by the ultra
thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without
restarting the system) and there is no performance penalty and all the
devices," she explained.
eWEEK.com Special Report: The Rise of Rootkits
Rutkowska stressed that the Blue Pill technology does not rely on any
bug of the underlying operating system. "I have implemented a working
prototype for Vista x64, but I see no reasons why it should not be
possible to port it to other operating systems, like Linux or BSD
which can be run on x64 platform," she added.
Blue Pill is being developed exclusively for COSEINC Research and will
not be available for download. However, Rutkowska said the company is
planning to organize trainings about Blue Pill and other technologies
where the source code would be made available.
Rutkowska has previously done work on Red Pill, which can be used to
detect whether code is being executed under a VMM (virtual machine
monitor) or under a real environment.
From isn at c4i.org Fri Jun 30 12:37:50 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 30 Jun 2006 11:37:50 -0500 (CDT)
Subject: [ISN] REVIEW: "Configuring SonicWALL Firewalls", Chris Lathem et al
Message-ID:
Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah"
BKCNSWFW.RVW 20060602
"Configuring SonicWALL Firewalls", Chris Lathem et al, 2006,
1-59749-250-7, U$49.95/C$69.95
%A Chris Lathem
%C 800 Hingham Street, Rockland, MA 02370
%D 2006
%G 1-59749-250-7
%I Syngress Media, Inc.
%O U$49.95/C$69.95 781-681-5151 fax: 781-681-3585 amy at syngress.com
%O http://www.amazon.com/exec/obidos/ASIN/1597492507/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1597492507/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/1597492507/robsladesin03-20
%O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 500 p.
%T "Configuring SonicWALL Firewalls"
Chapter one provides an overview of the basics of networking,
information security (at a rather simplistic level), and firewalls.
The features of SonicWALL devices are described in chapter two. The
material is mostly at sales brochure level. While some negative
points are raised the text is not particularly careful: at one point
we are told that the SonicWALL can terminate any type of VPN (Virtual
Private Network), while later it is admitted that it can terminate any
IPSec VPN. Management and configuration is covered in chapter three,
although the command line interface gets pretty short shrift. Access
control and policy management is dealt with in chapter four. Chapter
five reviews user accounts and authentication. The two routing
protocols possible with SonicWALL, RIP (Routing Information Protocol)
and OSPF (Open Shortest Path First), are described in chapter six.
Chapter seven explains network address translation (NAT) and lists the
SonicWALL dialogue boxes for it. Transparent (layer two) mode
screenshots are contained in chapter eight. Chapter nine throws
around terms like "attack detection and defence" and "intrusion
prevention" but is really a list of the application proxy setting
screens. IPSec adjustments are shown in chapter ten. Availability
and redundancy functions are described in eleven. "Troubleshooting,"
in chapter twelve, enumerates various utilities and diagnostics.
Chapter thirteen shows shots of the multi-device management system.
This is a decent enough replacement for vendor documentation, but not
much more.
copyright Robert M. Slade, 2006 BKCNSWFW.RVW 20060602
====================== (quote inserted randomly by Pegasus Mailer)
rslade at vcn.bc.ca slade at victoria.tc.ca rslade at computercrime.org
It is bad to suppress laughter;
it goes back down and spreads to your hips.
Dictionary Information Security www.syngress.com/catalog/?pid=4150
http://victoria.tc.ca/techrev/rms.htm
From isn at c4i.org Fri Jun 30 12:37:26 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 30 Jun 2006 11:37:26 -0500 (CDT)
Subject: [ISN] Stolen VA Laptop and Hard Drive Recovered
Message-ID:
http://www.washingtonpost.com/wp-dyn/content/article/2006/06/29/AR2006062900352.html
By Christopher Lee and Zachary A. Goldfarb
Washington Post Staff Writers
June 30, 2006
Federal officials yesterday announced the recovery of computer
equipment stolen from an employee of the Department of Veterans
Affairs. They said that sensitive personal information of 26.5 million
veterans and military personnel apparently had not been accessed.
The laptop and external hard drive, stolen May 3 from a VA data
analyst's home in Aspen Hill, contained the names, birth dates and
Social Security numbers of millions of current and former service
members. The theft was the largest information security breach in
government history and raised fears of potential mass identity theft.
VA Secretary Jim Nicholson announced the recovery yesterday during a
hearing of the House Committee on Veterans Affairs.
"Law enforcement has in their possession the laptop and hard drive,"
Nicholson said. "The serial numbers match. They are diligently
conducting forensic analysis on it to see if they can tell whether
it's been duplicated or utilized or entered in any way, and that work
is not complete. However, they did say to me that there is reason to
be optimistic."
FBI officials and local authorities said at a news conference that a
person who had the laptop contacted U.S. Park Police on Wednesday
after seeing news accounts and notices of a $50,000 reward offered by
Montgomery County police. The devices were recovered in the "general
vicinity" of Aspen Hill, said Chief Dwight E. Pettiford of the Park
Police.
FBI Special Agent in Charge William D. Chase, of the agency's
Baltimore office, said it is "way too early" to say whether the person
will get the reward or whether criminal charges will be filed soon.
FBI spokeswoman Michelle Crnkovich said the tipster is not a suspect.
"A preliminary review of the equipment by computer forensic teams has
determined that the data base remains intact and has not been accessed
since it was stolen," the FBI said in a statement. "A thorough
forensic examination is underway, and the results will be shared as
soon as possible."
Lawmakers hailed the investigative work but said VA still has much to
do to improve data security.
"[T]he basic deficiencies leading to this data loss must be
corrected," Rep. Steve Buyer (R-Ind.), chairman of the Veterans
Affairs Committee, said in a statement. "The history of lenient
policies and lack of accountability within VA management must be
rectified."
Rep. Lane Evans (Ill.), the committee's ranking Democrat, said in a
statement: "Today's announcement does not relieve the Department of
Veterans Affairs from fixing its broken data security system and
failed leadership."
The theft has proved to be an embarrassing and expensive management
failure for VA. In a series of hearings, lawmakers have criticized
Nicholson for the department's lax security practices and sluggish
response, noting that the secretary was not told of the burglary for
13 days. The incident also has cast light on the department's
consistent ranking near the bottom among federal agencies in an annual
congressional scorecard of computer security.
Pedro Cadenas Jr., the VA official in charge of information security,
resigned yesterday for personal reasons, VA officials said. Earlier, a
high-ranking political appointee was dismissed and a longtime career
manager was forced to retire.
The Bush administration this week asked Congress for $160.5 million to
pay for free credit monitoring for veterans and military personnel. VA
already has budgeted $25 million to create a call center to handle
veterans' questions and to send letters alerting veterans about the
theft. Several veterans groups have filed class-action lawsuits
locally and in Kentucky against the government, seeking $1,000 in
damages per affected veteran.
Initially, VA thought that all of the 26.5 million people affected
were veterans. But a database comparison revealed that the stolen
equipment also contained Social Security numbers and other personal
information for as many as 2.2 million U.S. military personnel,
including 1.1 million active-duty military personnel, 430,000 National
Guard members and 645,000 reserve members.
Nicholson said it is too early to tell whether free-credit monitoring
for veterans is now unnecessary. VA still plans to hire a data
analysis company to monitor whether veterans' identities are being
stolen, he said.
Rep. Bob Filner (D-Calif.) said yesterday that three VA documents
obtained by the Veterans Affairs Committee indicate that the data
analyst was authorized to take a laptop home and use a software
package to access the data. That contradicted Nicholson's previous
testimony that the employee was not authorized to have the information
at home.
"He got all the approvals that he was supposed to have," Filner said.
"I don't know of a policy that he violated, if you'll tell me one. And
that's the real negligence -- that there were no policies."
Nicholson said he had not seen the documents, and declined to comment
because the career analyst is challenging Nicholson's decision to fire
him.
Tim S. McClain, VA's general counsel, told the panel that one of the
documents did not apply to the laptop that was stolen. He acknowledged
that the other documents granted the analyst access to Social Security
numbers and permitted him to have software at home.
Jim Mueller, commander-in-chief of the national Veterans of Foreign
Wars, applauded the equipment's recovery, but said in a statement that
Nicholson still has much to do to repair the agency's reputation.
"The longer Secretary Nicholson waits to hold people accountable, the
more confidence he will lose in the eyes of America's veterans, their
families, and those who wear the uniform today," he said.
? 2006 The Washington Post Company
From isn at c4i.org Fri Jun 30 12:37:37 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 30 Jun 2006 11:37:37 -0500 (CDT)
Subject: [ISN] Indy VA office is missing backup tape with vets' records
Message-ID:
http://www.indystar.com/apps/pbcs.dll/article?AID=/20060630/NEWS02/606300440
By Maureen Groppe
Star Washington Bureau
June 30, 2006
WASHINGTON -- The Department of Veterans Affairs is missing a backup
tape with more than 16,000 legal case records from an Indianapolis
office serving veterans in Indiana and Kentucky.
That disclosure came the same day Veterans Affairs Secretary Jim
Nicholson announced the recovery of a stolen laptop computer and hard
drive containing personal information on as many as 26.5 million
veterans.
The missing tape from the Regional General Counsel's Office in
Indianapolis doesn't contain as much data as was on the stolen laptop,
said U.S. Rep. Steve Buyer, R-Ind., who heads the House Veterans'
Affairs Committee. But the information is of greater sensitivity, he
said, because "much is privileged and confidential."
The Indianapolis tape contains personally identifiable information on
veterans, their dependents or department employees, such as dates of
birth, Social Security numbers, patient records and other
documentation related to legal cases handled by the Regional General
Counsel's Office.
The office, in the Federal Building in Indianapolis, handles VA cases
involving such issues as collections on bankruptcies, hospital debt,
tort claims, workers' compensation and other employee complaints. The
cases also may involve neighboring states.
Whether the tape was misplaced or stolen, or something else happened,
Buyer said, "is completely open to the realm of imagination and
speculation."
Nicholson said veterans potentially affected are being notified and
will have access to the same free credit-protection monitoring system
that has been offered to those whose information was on the stolen
laptop.
Copyright 2006 IndyStar.com. All rights reserved
From isn at c4i.org Fri Jun 30 12:36:57 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 30 Jun 2006 11:36:57 -0500 (CDT)
Subject: [ISN] Authorities warn of wireless cyber pirates
Message-ID:
http://www.9news.com/acm_news.aspx?OSGNAME=KUSA&IKOBJECTID=1db245df-0abe-421a-019d-d112657c4feb&TEMPLATEID=0c76dce6-ac1f-02d8-0047-c589c01ca7bf
By Ward Lucas
I-Team Reporter
6/28/2006
DOUGLAS COUNTY - The Sheriff's Department says it's going to start
warning computer users that their networks may be vulnerable to
hackers.
It may be one of the first law enforcement agencies in the country to
do so.
Wireless computer equipment and home computer networks are everywhere
these days. Almost all new computers sold are used by consumers to
network in one way or another to other computers.
However, that wireless capability may be making those computers
vulnerable to hackers.
"If someone is driving by on the street they could easily use your
internet access to commit a crime, whether it's fraudulent credit card
transactions or surfing child porn or something else," said Brian
Radamacher, a member of the Douglas County Sheriff's Special
Investigations Unit.
Wireless computer equipment sends out signals that sometimes broadcast
for up to a mile.
Other computer users can home in on those signals and use them to
access the internet.
Radamacher says hackers can use stolen Internet access to make
fraudulent credit card purchases or bank transfers.
He also says hackers can upload or download such things as child
pornography.
That activity would be completely invisible to the legitimate owner of
that network.
However, it could make innocent computer users vulnerable to having
their computers confiscated during police investigations.
"The unfortunate thing is when we go to issue the warrants or
something else you may end up getting your computer seized because of
it," said Radamacher. "A lot of times it can take months to get your
computer back after the processing."
The Sheriff's Department plans to equip several of its community
service and patrol cars with devices that detect unprotected computer
networks.
In cases where investigators can figure out who owns the networks,
they'll try to warn of potential security issues. They'll also drop
off brochures with instructions to computer users on how to password
protect their networks.
Copyright by KUSA-TV, All Rights Reserved
From isn at c4i.org Fri Jun 30 12:37:12 2006
From: isn at c4i.org (InfoSec News)
Date: Fri, 30 Jun 2006 11:37:12 -0500 (CDT)
Subject: [ISN] It's the Economy, Stupid
Message-ID:
http://www.wired.com/news/columns/0,71264-0.html
By Bruce Schneier
June 29, 2006
I'm sitting in a conference room at Cambridge University, trying to
simultaneously finish this article for Wired News and pay attention to
the presenter onstage.
I'm in this awkward situation because 1) this article is due tomorrow,
and 2) I'm attending the fifth Workshop on the Economics of
Information Security, or WEIS: to my mind, the most interesting
computer security conference of the year.
The idea that economics has anything to do with computer security is
relatively new. Ross Anderson and I seem to have stumbled upon the
idea independently. He, in his brilliant article from 2001, "Why
Information Security Is Hard -- An Economic Perspective" (.pdf), and
me in various essays and presentations from that same period.
WEIS began a year later at the University of California at Berkeley
and has grown ever since. It's the only workshop where technologists
get together with economists and lawyers and try to understand the
problems of computer security.
And economics has a lot to teach computer security. We generally think
of computer security as a problem of technology, but often systems
fail because of misplaced economic incentives: The people who could
protect a system are not the ones who suffer the costs of failure.
When you start looking, economic considerations are everywhere in
computer security. Hospitals' medical-records systems provide
comprehensive billing-management features for the administrators who
specify them, but are not so good at protecting patients' privacy.
Automated teller machines suffered from fraud in countries like the
United Kingdom and the Netherlands, where poor regulation left banks
without sufficient incentive to secure their systems, and allowed them
to pass the cost of fraud along to their customers. And one reason the
internet is insecure is that liability for attacks is so diffuse.
In all of these examples, the economic considerations of security are
more important than the technical considerations.
More generally, many of the most basic security questions are at least
as much economic as technical. Do we spend enough on keeping hackers
out of our computer systems? Or do we spend too much? For that matter,
do we spend appropriate amounts on police and Army services? And are
we spending our security budgets on the right things? In the shadow of
9/11, questions like these have a heightened importance.
Economics can actually explain many of the puzzling realities of
internet security. Firewalls are common, e-mail encryption is rare:
not because of the relative effectiveness of the technologies, but
because of the economic pressures that drive companies to install
them. Corporations rarely publicize information about intrusions;
that's because of economic incentives against doing so. And an
insecure operating system is the international standard, in part,
because its economic effects are largely borne not by the company that
builds the operating system, but by the customers that buy it.
Some of the most controversial cyberpolicy issues also sit squarely
between information security and economics. For example, the issue of
digital rights management: Is copyright law too restrictive -- or not
restrictive enough -- to maximize society's creative output? And if it
needs to be more restrictive, will DRM technologies benefit the music
industry or the technology vendors? Is Microsoft's Trusted Computing
initiative a good idea, or just another way for the company to lock
its customers into Windows, Media Player and Office? Any attempt to
answer these questions becomes rapidly entangled with both information
security and economic arguments.
WEIS encourages papers on these and other issues in economics and
computer security. We heard papers presented on the economics of
digital forensics of cell phones (.pdf) -- if you have an uncommon
phone, the police probably don't have the tools to perform forensic
analysis -- and the effect of stock spam on stock prices: It actually
works in the short term. We learned that more-educated wireless
network users are not more likely to secure their access points
(.pdf), and that the best predictor of wireless security is the
default configuration of the router.
Other researchers presented economic models to explain patch
management (.pdf), peer-to-peer worms (.pdf), investment in
information security technologies (.pdf) and opt-in versus opt-out
privacy policies (.pdf). There was a field study that tried to
estimate the cost to the U.S. economy for information infrastructure
failures (.pdf): less than you might think. And one of the most
interesting papers looked at economic barriers to adopting new
security protocols (.pdf), specifically DNS Security Extensions.
This is all heady stuff. In the early years, there was a bit of a
struggle as the economists and the computer security technologists
tried to learn each others' languages. But now it seems that there's a
lot more synergy, and more collaborations between the two camps.
I've long said that the fundamental problems in computer security are
no longer about technology; they're about applying technology.
Workshops like WEIS are helping us understand why good security
technologies fail and bad ones succeed, and that kind of insight is
critical if we're going to improve security in the information age.
-=-
Bruce Schneier is the CTO of Counterpane Internet Security and the
author of Beyond Fear: Thinking Sensibly About Security in an
Uncertain World. You can contact him through his website.